BRO intel framework

Giedrius_Ramas · April 28, 2015, 7:39am

Hi all ,
I am using BRO intel framework and have some doubts about intel.dat file . Currently I have in my script following :

redef Intel::read_files += {
“/opt/bro/share/bro/intel/intel.dat”
};

How can I append data to /intel.dat ? Can I just overwrite it by using mv linux command ? Is it necessary to reload bro once /intel.dat changed ?

Please shed some light on how bro works with that file .

Seth_Hall3 · April 28, 2015, 4:10pm

How can I append data to /intel.dat ? Can I just overwrite it by using mv linux command ?

Yes, that’s the best option.

Is it necessary to reload bro once /intel.dat changed ?

Nope. Bro will pick up the changes automatically. If you are running on a cluster, it will pick them up on the manager and distribute them out to the workers. Also, the internal intelligence representation is accumulative. If you remove something from that file, Bro is still watching for it.

.Seth

Giedrius_Ramas · April 29, 2015, 5:43am

Thanks for reply,
Could you please elaborate more on that point:" Also, the internal intelligence representation is accumulative. If you remove something from that file, Bro is still watching for it." So, for example if I will overwrite the whole intel file with the new one, what happened to the records from the old file ? Bro still watching for them ?

Nick_Pratley · April 29, 2015, 5:59am

Yes, Bro would still be watching for them, at least if
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html is still
accurate:

"
A restart is required if you want to purge entries that have been
removed from the feeds, but not if you only want the new entries because
Bro keeps the file open and will pick up any new additions.
"

Giedrius_Ramas · April 29, 2015, 11:42am

One more thing I need to clarify. I see in bro intel data file (generated by CIF) Intel::URL url’s have a prefix http:// . However when I visit these URLs BRO Intel do not trigger. I tried to remove prefix http:// from url’s in BRO intel file and BRO Intel works well then. So is there anything wrong with CIF generated BRO intel file or elsewhere ?

Seth_Hall3 · April 29, 2015, 1:03pm

Yes, it was designed that way originally so we that could do some optimizations in the future. I’m starting to see some more work that needs to be done on the Intelligence framework though so I’m sure that over the next release or two there will be improvements coming in this area and others.

.Seth

Seth_Hall3 · April 29, 2015, 1:32pm

Oh, that’s not good. I actually thought at some point that I started stripping prefixes off of urls as they came in, but I may not have gotten that out anywhere.

.Seth

Topic		Replies	Views
Bro intelligence framework meta data issue. Zeek	5	53	May 6, 2022
Checking old Bro logs for new intel? Zeek	1	62	May 6, 2022
Python file to build and modify Intel files Zeek	1	44	May 6, 2022
Broccoli + Intel framework Zeek	2	69	May 6, 2022
Manager memory requirements for the intel framework Zeek	2	58	May 6, 2022

BRO intel framework

Related Topics