[Bro] CIF and Bro Integration

Derek Banks itsecderek at gmail.com
Wed Mar 26 19:25:24 PDT 2014 

Check out a post I made on this on the CIF user group, it should point you
in the right direction.

Regards,
Derek
On Mar 26, 2014 10:07 PM, "Tom OBrion" <hammadog at gmail.com> wrote:

> Thanks all for the feedback.  But now I have run into another issue with
> generating the CIF feed with the -p bro plugin.  The feed generate as the
> attached links feed did.
>
> >From the test feed that was in the supplied link:
> #fields indicator indicator_type meta.source meta.desc meta.url
> meta.cif_impact meta.cif_severity meta.cif_confidence
>
> When I generated my own feed it came back as this.
> #fields host net str str_type meta.source meta.desc meta.url
> meta.cif_impact meta.cif_severity meta.cif_confidence
>
> The attached link(In current thread) feed works and generates the
> intel.log file,  but the one I generate does not generate a log entry.  Is
> there something else in BRO that I need to do for the feed to work
> properly?  If someone could point me in the right direction,  I would much
> appreciate it!
>
> Tom
>
>
> On Wed, Mar 26, 2014 at 9:46 PM, Bernhard Amann <
> bernhard at icsi.berkeley.edu> wrote:
>
>>
>> On Mar 26, 2014, at 6:14 PM, Jon Schipp <jonschipp at gmail.com> wrote:
>>
>> > I'm not so certain anymore ;)
>> > It looks like you're right [1] that the mode is set to REREAD [1].
>> > Though, I'm pretty sure that I've read in the documentation that a
>> restart is required for the removal of items.
>> > Maybe that was a mistake. Oh well.
>>
>> You are right about that. Even though reread supports the removal of
>> items,
>> the current way in which it is used in the intelligence framework does
>> not seem to.
>>
>> I have to ask Seth why that is the case - it should be easy to change
>> this.
>>
>> Bernhard
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
>
> Tom O'Brion
> Twitter: @tobrion
> Skype: TomOBrion
> "Life is too short to spend time with people who suck the happy out of
> you."
>
> [image: View Tom OBrion's profile on LinkedIn]<http://www.linkedin.com/in/tomobrion>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/ec7696be/attachment.html

More information about the Bro mailing list