[Bro] CIF and Bro Integration
Jon Schipp
jonschipp at gmail.com
Wed Mar 26 18:14:55 PDT 2014
I'm not so certain anymore ;)
It looks like you're right [1] that the mode is set to REREAD [1].
Though, I'm pretty sure that I've read in the documentation that a restart
is required for the removal of items.
Maybe that was a mistake. Oh well.
[1]
https://github.com/bro/bro/blob/8bfb81ca6fdd1238504b29a6a866170cd0211be6/scripts/base/frameworks/intel/input.bro#L24-L30
On Wed, Mar 26, 2014 at 7:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Wed, Mar 26, 2014 at 07:11:16PM -0500, Jon Schipp wrote:
> > That is correct. Explained here and elsewhere in the Bro documentation:
> > http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
> >
> > On Wed, Mar 26, 2014 at 4:27 PM, Derek Banks <itsecderek at gmail.com>
> wrote:
> >
> >
> > The way I understand it, when new items are added to the files you
> include
> > in the Intel Framework, they are picked up and then in use.
> However, to
> > remove items requires a Bro restart. Someone please correct me if
> that is
> > not accurate.
> >
> > FWIW, I have the CIF client on my Bro boxes pulling daily and I am
> > contemplating a weekly restart to dump anything no longer included
> in the
> > confidence level of the feed.
> >
> > Regards,
> > Derek
>
> You sure about that?
>
> Input::REREAD will add/remove items as needed, but the Input::STREAM
> mode is append only.
>
> http://bro.org/sphinx/frameworks/input.html#re-reading-and-streaming-data
>
> --
> -- Justin Azoff
>
--
Jon Schipp,
jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/5766b58a/attachment.html
More information about the Bro
mailing list