Removing intel while Bro is running

John_B_Althouse_III · July 30, 2015, 5:11pm

It seems that while it’s possible to add to the intel list in memory while Bro is running, it’s not possible to remove.

That is, if I remove something from the intel file because it’s generating too many false positives, I have to restart Bro in order for it to take effect.

Is there anything I can do to fix this? I’d rather not restart Bro and lose connection states.

Seth_Hall3 · July 30, 2015, 7:22pm

There will be code going into Bro before too long, but for now you can run what I wrote as an extension...

https://github.com/sethhall/intel-ext

You can see how to work with it in the testing/ directory. Look into how the whitelisting happens. It gives you the ability to stop monitoring for intel items by actually adding new “whitelisted” intel items.

.Seth

Topic		Replies	Views
Removing IP from Intel Framework? Zeek	8	93	May 6, 2022
CIF and Bro Integration Zeek	12	100	May 6, 2022
updating intelligence data without restarting Zeek Development development	2	167	May 6, 2022
BRO intel framework Zeek	7	95	May 6, 2022
Python file to build and modify Intel files Zeek	1	60	May 6, 2022

Removing intel while Bro is running

Related topics