[Bro] Intel.log wrong format
Jan Grashöfer
jan.grashoefer at gmail.com
Tue Jan 24 08:25:23 PST 2017
Hi Rodrigo,
> I'm using the INTEL bro framework successfully. I'm having a hard time to
> understand why inside my intel.log file, the information "Intel::ADDR" is
> showing twice. In identified by the fields "seen.indicator_type" and
> "matched sources".
nice to hear that the intel framework is useful to you. As Justin
already pointed out, "matched" and "sources" are two different fields.
The fields "seen.indicator_type" and "matched" have a slightly different
meaning. For example if you specify a subnet in your intel file and you
see a connection to an IP inside this subnet, "seen.indicator_type" will
be Intel::ADDR while "matched" will be Intel::SUBNET. For more details
about the data model the blog post about the intelligence framework
update might be interesting:
http://blog.bro.org/2016/12/the-intelligence-framework-update.html
I hope this helps,
Jan
More information about the Bro
mailing list