[Bro] CIF and Bro Integration
Justin Azoff
JAzoff at albany.edu
Wed Mar 26 17:20:41 PDT 2014
On Wed, Mar 26, 2014 at 07:11:16PM -0500, Jon Schipp wrote:
> That is correct. Explained here and elsewhere in the Bro documentation:
> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>
> On Wed, Mar 26, 2014 at 4:27 PM, Derek Banks <itsecderek at gmail.com> wrote:
>
>
> The way I understand it, when new items are added to the files you include
> in the Intel Framework, they are picked up and then in use. However, to
> remove items requires a Bro restart. Someone please correct me if that is
> not accurate.
>
> FWIW, I have the CIF client on my Bro boxes pulling daily and I am
> contemplating a weekly restart to dump anything no longer included in the
> confidence level of the feed.
>
> Regards,
> Derek
You sure about that?
Input::REREAD will add/remove items as needed, but the Input::STREAM
mode is append only.
http://bro.org/sphinx/frameworks/input.html#re-reading-and-streaming-data
--
-- Justin Azoff
More information about the Bro
mailing list