[Bro] 2.5 Intelligence Framework
eshelton
eshelton at butler.net
Wed Nov 9 10:29:24 PST 2016
I'm trying to familiarize myself with the updates/changes to the 2.5 intel
framework, as well as start leveraging it to greater use. I've come across
a couple of issues I'm not quite clear how to solve yet:
1) Is there a way to expire intel inputs from one input source, but not
another?
For example I have tor data as an input source, and I'd like to set this up
to update several times a day, and expiry would be a wonderful option for
this data to keep it as accurate as possible. I also have some somewhat
static input data that may won't be update regularly via cron, which I'd
doesn't really need expiry at all, save for manual update to this
particular intel file.
2) Is there a way to only send data to the notice framework from particular
sources? Or perhaps this is an issue of suppressing certain emails from the
notice framework?
For example, I want to log my Tor hits in intel.log, and I don't really
mind if they show up in notice.log either, but I don't want to get emails
every time I log a Tor node hit. I'd like to reserve emails sent from the
notice framework to those from particular data sources which aren't Tor
hits, or of my choosing.
Respectfully,
-Erin Shelton
Program Manager: Incident Response and Network Security
Office of Information Technology
University of Colorado Boulder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161109/76c07714/attachment.html
More information about the Bro
mailing list