[Bro] intel.log file stops getting generated.
jan.grashoefer at gmail.com
Sun Jan 29 09:58:20 PST 2017
> We are pulling down the feeds every day around 6:45am in morning in the bro
> feed dir.
> I was thinking that if the feeds are not getting updated
> (i.e if the feeds are same as they were before pulling), then it might
> cause all the old feeds (longer than 1 day) to expire and hence
> Bro not generating intel.log.
That is how it is supposed to work. Updating the feed files requires
atomic operations like "mv". How do you pull the feeds?
> I will still try to troubleshoot the issue, but for time being I have
> disabled the do_expire script so that intel.log file is generated.
For debugging a good start might be to test the three cases:
1. "Old" indicators that should have been expired -> no hit
2. Readded indicators that have already been added -> hit (again)
3. "New" indicators that were added the first time -> hit
Further it would be good to know if you can reproduce the same issue on
a smaller time scale.
More information about the Bro