[Bro] Intel alerts not showing up in the notice log
Mike Dopheide
dopheide at gmail.com
Thu May 4 11:53:49 PDT 2017
I assume you've also redef'd Intel::read_files as well.
How are you testing it? If you're running standalone against a small pcap,
I believe Bro may finish processing traffic before it finishes loading the
Intel data. (Can anyone confirm or deny that?)
-Dop
On Thu, May 4, 2017 at 1:07 PM, Dave Florek <dave.a.florek at gmail.com> wrote:
> Hi Mike,
>
> Thanks for the response. I'm still not seeing the Intel.log entries show
> up in my notice.log. I confirmed I have the @load policy/frameworks/intel/
> do_notice and @load frameworks/intel/seen in my local.bro file and the
> 'T' switch set on my DAT file entries. I'm not sure what to try next.
>
> Any recommendations?
>
> > Date: Tue, 2 May 2017 16:06:37 -0500
> > From: Mike Dopheide <dopheide at gmail.com>
> > Subject: Re: [Bro] Intel alerts not showing up in the notice log
> > To: Dave Florek <dave.a.florek at gmail.com>
> > Cc: "bro at bro.org" <bro at bro.org>
> > Message-ID:
> > <CAPy2kFb0Cq182NfppPmqGt42+qdUqys09r=gu7JxLojfnefL0w at mail.
> gmail.com>
> > Content-Type: text/plain; charset="utf-8"
>
> >
> > I haven't read the whole thread, but you may need:
> >
> > @load policy/frameworks/intel/do_notice
> >
> > As well as have "meta.do_notice" set to T in your .dat files.
> >
> > -Dop
> >
> >> On Tue, May 2, 2017 at 3:36 PM, Dave Florek <dave.a.florek at gmail.com>
> wrote:
> >>
> >> Good afternoon,
> >>
> >> Was there a resolution to this thread? I'm having the same issue on a
> >> default build and I'm not sure where to start.
> >>
> >> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-May/006940.html
> >>
> >> Thanks,
> >>
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170504/1cc56413/attachment.html
More information about the Bro
mailing list