[Bro] BRO intel framework

Giedrius Ramas giedrius.ramas at gmail.com
Wed Apr 29 04:42:03 PDT 2015


One more thing I need to clarify. I see in bro intel data file (generated
by CIF)  Intel::URL   url's have a prefix http:// . However when I visit
these URLs  BRO Intel do not trigger. I tried to remove prefix http:// from
url's in BRO intel file and BRO Intel works well then. So is there anything
wrong with CIF generated BRO intel file or elsewhere ?

On Wed, Apr 29, 2015 at 8:59 AM, Nick Pratley <npratley at redhat.com> wrote:

> On Wed, 2015-04-29 at 08:43 +0300, Giedrius Ramas wrote:
> > Thanks for reply,
> > Could you please elaborate more on that point:" Also, the internal
> > intelligence representation is accumulative.  If you remove something
> > from that file, Bro is still watching for it." So,  for example if I
> > will overwrite the whole intel file with the new one, what happened to
> > the records from the old file ? Bro still watching for them ?
>
> Yes, Bro would still be watching for them, at least if
> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html is still
> accurate:
>
> "
>  A restart is required if you want to purge entries that have been
> removed from the feeds, but not if you only want the new entries because
> Bro keeps the file open and will pick up any new additions.
> "
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150429/d761a688/attachment.html 


More information about the Bro mailing list