Hi Bro list,

I am starting to use Bro to check some IOCs on my network using the Bro Intelligence Framework, and I have few questions regarding my configuration :
-I am updating the IOCs regularly and the only way I found to reload IOCs in bro is to restart the service with broctl, is there any better way? (like just reloading the configuration and not restarting everything)
-When restarting bro with broctl, Bro is having a weird behaviour with logs, they are stored in directory with weird names (like 2039-01- 2039-02- 2039-10- 2046-49- 2050-58- 2051-03-…), have you already seen such case? Is it a due to a bad configuration? Or a bug? Is there a way to restart bro without rotating logs?

(all this with bro 2.5 compiled from sources)

Thanks
N

Hi N,

-I am updating the IOCs regularly and the only way I found to reload IOCs
in bro is to restart the service with broctl, is there any better way?
(like just reloading the configuration and not restarting everything)

using Bro 2.5 you can use the new expiration feature of the intel
framework. There might be a blog post explaining the details. I will
check that.

Best regards
Jan