[Bro] CIF and Bro Integration
Jon Schipp
jonschipp at gmail.com
Wed Mar 26 17:11:16 PDT 2014
That is correct. Explained here and elsewhere in the Bro documentation:
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
On Wed, Mar 26, 2014 at 4:27 PM, Derek Banks <itsecderek at gmail.com> wrote:
> The way I understand it, when new items are added to the files you include
> in the Intel Framework, they are picked up and then in use. However, to
> remove items requires a Bro restart. Someone please correct me if that is
> not accurate.
>
> FWIW, I have the CIF client on my Bro boxes pulling daily and I am
> contemplating a weekly restart to dump anything no longer included in the
> confidence level of the feed.
>
> Regards,
> Derek
> On Mar 26, 2014 5:02 PM, "O'Brion, Tom" <TOBrion at unum.com> wrote:
>
>> Quick question when implementing the Intel Framework based on this post:
>>
>>
>> http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
>>
>> Do you need to restart & reinstall BRO for it to grab a new feed? I am
>> going to script up a weekly cif reload and want to make sure.
>>
>> Thanks
>>
>> - Tom
>>
>> - "Life is too short to spend time with people who suck the happy out of
>> you."
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon Schipp,
jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/c1ec38cc/attachment.html
More information about the Bro
mailing list