[Zeek] Issues with Intel::FILE_NAME not working.
Jan Grashöfer
jan.grashoefer at gmail.com
Wed Jul 10 03:03:36 PDT 2019
Hi William,
the script seen/file-names.zeek [1] defines how file names are reported
to the intel framework. To match, the indicator has to be identical to
f$info$filename.
Jan
[1]
https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek
On 09/07/2019 20:27, William Dieterich wrote:
> Using the Intel Framework I cannot get Intel::FILE_NAME to fire. It
> is working with any other type so my script and read file is good.
>
> I am loading the following scripts
>
> Policy/frameworks/intel/seen
> policy/frameworks/intel/do_notice
> frameworks/file/hash-all-files.bro
> base/frameworks/intel/files.bro
>
> Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
> there a better way?
>
> I am taking filenames from both my files.log and http.log files so I
> know the files exist. I am getting no errors in recorder.log and am
> running from the command line and no errors are there. Any ideas on
> what I am doing wrong?
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
More information about the Zeek
mailing list