[Bro] BRO intel framework
Giedrius Ramas
giedrius.ramas at gmail.com
Tue Apr 28 22:43:02 PDT 2015
Thanks for reply,
Could you please elaborate more on that point:" Also, the internal
intelligence representation is accumulative. If you remove something from
that file, Bro is still watching for it." So, for example if I will
overwrite the whole intel file with the new one, what happened to the
records from the old file ? Bro still watching for them ?
On Tue, Apr 28, 2015 at 7:10 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Apr 28, 2015, at 3:39 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> wrote:
> >
> > How can I append data to /intel.dat ? Can I just overwrite it by using
> mv linux command ?
>
> Yes, that’s the best option.
>
> > Is it necessary to reload bro once /intel.dat changed ?
>
> Nope. Bro will pick up the changes automatically. If you are running on a
> cluster, it will pick them up on the manager and distribute them out to the
> workers. Also, the internal intelligence representation is accumulative.
> If you remove something from that file, Bro is still watching for it.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150429/4cd20af6/attachment.html
More information about the Bro
mailing list