[Bro] Removing IP from Intel Framework?
Aaron Gee-Clough
lists at g-clef.net
Mon Sep 15 06:22:13 PDT 2014
All,
I'm working with the intel framework and enjoying it, but have hit a bit
of a problem: I can successfully add new IPs to watchlists in the
framework, but I can't remove them without restarting bro. I'd like to
be able to do this to handle false-positives, for example.
The fact that new watchlist entries are flagged says to me that I'm
doing the "create the file then move it into place" bit properly...I
don't know what's up with removing entries, though.
I'm running bro 2.3 (the 06/16/14 release), and am invoking the intel
framework like this:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/bro/etc/internalList.dat",
};
internalList.dat looks like:
#fields indicator indicator_type meta.source meta.url meta.do_notice
meta.if_in
targetDomain.blah Intel::DOMAIN internal_monitoring
https://internalsite/campaign?arg1=text&arg2=some%20more%20text T -
Any ideas?
Thanks.
Aaron
More information about the Bro
mailing list