[Bro] Question about the Intelligence framework
Seth Hall
seth at icir.org
Mon Jan 5 07:12:56 PST 2015
> On Jan 3, 2015, at 11:25 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
>
> I am trying to extend the current Intelligence framework to support some indicator of my own type.
Cool! What’s the type? If it’s a fairly generic type it could probably make sense to include it in Bro for the next release so that people can just import data for that type and have it “automatically” work. :)
> Do you known in which file is the corresponding codes for the current supported indicator types located? The documentation for the Intelligence Framework mentioned some "package of hook scripts". Where can I find that those scripts?
Yes, you can find them in <prefix>/share/bro/policy/frameworks/intel/seen/
The scripts in that directory send data into the intel framework to be checked against the loaded intelligence data sets.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list