Intel alerts not showing up in the notice log

Dave_Florek · May 4, 2017, 6:07pm

Hi Mike,

Thanks for the response. I’m still not seeing the Intel.log entries show up in my notice.log. I confirmed I have the @load policy/frameworks/intel/do_notice and @load frameworks/intel/seen in my local.bro file and the ‘T’ switch set on my DAT file entries. I’m not sure what to try next.

Any recommendations?

dopheide · May 4, 2017, 6:53pm

I assume you’ve also redef’d Intel::read_files as well.

How are you testing it? If you’re running standalone against a small pcap, I believe Bro may finish processing traffic before it finishes loading the Intel data. (Can anyone confirm or deny that?)

-Dop

Topic		Replies	Views
Help with intel framework Zeek	8	78	May 6, 2022
Intel Framework Not Generating Intel Log Zeek	4	129	May 6, 2022
Intel hits not being emailed Zeek	3	57	May 6, 2022
Intel Framework, Notices, and sending out emails Zeek	3	57	May 6, 2022
question: "intel.log" not generated Zeek	6	106	May 6, 2022

Intel alerts not showing up in the notice log

Related Topics