[Bro] Removing IP from Intel Framework?

Mike Reeves luke at geekempire.com
Mon Sep 15 07:00:29 PDT 2014


Unfortunately there is no way to remove them without restarting.

On Monday, September 15, 2014, Aaron Gee-Clough <lists at g-clef.net> wrote:

>
> All,
>
> I'm working with the intel framework and enjoying it, but have hit a bit
> of a problem: I can successfully add new IPs to watchlists in the
> framework, but I can't remove them without restarting bro. I'd like to
> be able to do this to handle false-positives, for example.
>
> The fact that new watchlist entries are flagged says to me that I'm
> doing the "create the file then move it into place" bit properly...I
> don't know what's up with removing entries, though.
>
> I'm running bro 2.3 (the 06/16/14 release), and am invoking the intel
> framework like this:
>
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
>
> redef Intel::read_files += {
>         "/opt/bro/etc/internalList.dat",
> };
>
> internalList.dat looks like:
>
> #fields indicator       indicator_type  meta.source     meta.url
> meta.do_notice
> meta.if_in
> targetDomain.blah       Intel::DOMAIN   internal_monitoring
> https://internalsite/campaign?arg1=text&arg2=some%20more%20text T       -
>
>
> Any ideas?
>
> Thanks.
>
> Aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <javascript:;>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140915/96bf38cd/attachment.html 


More information about the Bro mailing list