[Bro] A little more confusion with Intel

Azoff, Justin S jazoff at illinois.edu
Thu Jan 18 10:13:11 PST 2018


> On Jan 18, 2018, at 1:06 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> Here too, is there something I'm missing?  In testing a different packet captures using TCP, I get intel...so does the Intel framework not support UDP?  Thank you.
> 
> James
> 

The intel framework doesn't know anything about tcp or udp.  The default scripts for connections only alert on tcp connections though:

https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/conn-established.bro

— 
Justin Azoff





More information about the Bro mailing list