[Bro] BRO intel framework

Nick Pratley npratley at redhat.com
Tue Apr 28 22:59:27 PDT 2015


On Wed, 2015-04-29 at 08:43 +0300, Giedrius Ramas wrote:
> Thanks for reply,
> Could you please elaborate more on that point:" Also, the internal
> intelligence representation is accumulative.  If you remove something
> from that file, Bro is still watching for it." So,  for example if I
> will overwrite the whole intel file with the new one, what happened to
> the records from the old file ? Bro still watching for them ?  

Yes, Bro would still be watching for them, at least if
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html is still
accurate:

"
 A restart is required if you want to purge entries that have been
removed from the feeds, but not if you only want the new entries because
Bro keeps the file open and will pick up any new additions.
"




More information about the Bro mailing list