[Bro] Removing IP from Intel Framework?
Michał Purzyński
michalpurzynski1 at gmail.com
Mon Sep 15 14:05:53 PDT 2014
W00t, thanks a lot, testing ASAP.
On Mon, Sep 15, 2014 at 10:53 PM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 15, 2014, at 1:13 PM, Seth Hall <seth at icir.org> wrote:
>
> > I'm hoping that I can get a repository up on github today/tonight that
> makes your statement incorrect. :)
>
> https://github.com/sethhall/intel-ext
>
> This repository adds two features.
> - You can extend your intel log (now named intel_ext.log).
> - You can whitelist items.
>
> These features will likely be integrated into Bro at a future date. I'm
> trying to use this ext repository as a way to vet features for the intel
> framework before integrating them right into the main distribution.
>
> If you want to start whitelisting intel items at runtime, you should
> create a new intel file with an extra "meta.whitelist" field and set the
> field value to "T" (there is a test that shows this). As you add elements
> to this intel file, those items won't show up in your intel_ext.log.
>
> The intel file will look something like this...
>
> #fields indicator indicator_type meta.source meta.whitelist
> bro.org Intel::DOMAIN my_whitelist T
>
> You should probably maintain this as a separate file and make sure that
> you are giving the source as something distinct from where the data comes
> from originally (it's "my_whitelist" in my example).
>
> Have fun! :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Michał Purzyński
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140915/1a9b672b/attachment.html
More information about the Bro
mailing list