[Bro] Intel alerts not showing up in the notice log
dopheide at gmail.com
Thu May 4 11:53:49 PDT 2017
I assume you've also redef'd Intel::read_files as well.
How are you testing it? If you're running standalone against a small pcap,
I believe Bro may finish processing traffic before it finishes loading the
Intel data. (Can anyone confirm or deny that?)
On Thu, May 4, 2017 at 1:07 PM, Dave Florek <dave.a.florek at gmail.com> wrote:
> Hi Mike,
> Thanks for the response. I'm still not seeing the Intel.log entries show
> up in my notice.log. I confirmed I have the @load policy/frameworks/intel/
> do_notice and @load frameworks/intel/seen in my local.bro file and the
> 'T' switch set on my DAT file entries. I'm not sure what to try next.
> Any recommendations?
> > Date: Tue, 2 May 2017 16:06:37 -0500
> > From: Mike Dopheide <dopheide at gmail.com>
> > Subject: Re: [Bro] Intel alerts not showing up in the notice log
> > To: Dave Florek <dave.a.florek at gmail.com>
> > Cc: "bro at bro.org" <bro at bro.org>
> > Message-ID:
> > <CAPy2kFb0Cq182NfppPmqGt42+qdUqys09r=gu7JxLojfnefL0w at mail.
> > Content-Type: text/plain; charset="utf-8"
> > I haven't read the whole thread, but you may need:
> > @load policy/frameworks/intel/do_notice
> > As well as have "meta.do_notice" set to T in your .dat files.
> > -Dop
> >> On Tue, May 2, 2017 at 3:36 PM, Dave Florek <dave.a.florek at gmail.com>
> >> Good afternoon,
> >> Was there a resolution to this thread? I'm having the same issue on a
> >> default build and I'm not sure where to start.
> >> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html
> >> Thanks,
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro