[Bro] [bro] Extending intel.log
Seth Hall
seth at icir.org
Tue Apr 26 11:00:37 PDT 2016
> On Apr 26, 2016, at 9:07 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
>
> Right now when my logs print I get seen_indicator, seen_indicator_type, seen_node, seen_where, and sources, but I’d like to have the meta URL come through and print in the log to make it easy for an analyst to find the source documentation for the referenced intel alert.
I have some extensions for the intel framework here:
https://github.com/sethhall/intel-ext
Look at the tests to see how to use it:
https://github.com/sethhall/intel-ext/tree/master/testing/intel-ext
I'm hoping that some changes will be coming to the intel framework in the next release that should incorporate changes like these and more too.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list