[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 10:15:27 PST 2018

Ah....Ok thanks again Justin.  Seth should I put in a feature request 
for both TLD and UDP for the Intel framework?  Thanks.


On 2018-01-18 11:13, Azoff, Justin S wrote:
>> On Jan 18, 2018, at 1:06 PM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>> Here too, is there something I'm missing?  In testing a different 
>> packet captures using TCP, I get intel...so does the Intel framework 
>> not support UDP?  Thank you.
>> James
> The intel framework doesn't know anything about tcp or udp.  The
> default scripts for connections only alert on tcp connections though:
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/conn-established.bro
>> Justin Azoff

More information about the Bro mailing list