[ https://bro-tracker.atlassian.net/browse/BIT-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24400#comment-24400 ]
Johanna Amann commented on BIT-1539: ------------------------------------ Generally - intelligence files (or any other external data files) that are loaded with the Bro input framework do not appear in loaded_scripts.bro. Unless there is an error in reporter.log, you can assume that a file has been loaded correctly. If you want to check that a file was completely read, you can catch the end_of_data event of the Input framework and check the name of the source that was completely read (intel sources have a name starting with "intel-"). > Adding intel to intel framework Bro is not loading the file > ----------------------------------------------------------- > > Key: BIT-1539 > URL: https://bro-tracker.atlassian.net/browse/BIT-1539 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: CentOS 7.2. 1511 kernel version 3.10 > Reporter: Lu Goon > Labels: Framework, IP, Intel, addresses, data, files, text > > We wanted to get our intel ( bad IPs) in to bro for alerting using the intel > framework. I crafted a file of BAD IPs based on the documentation on the > site. Also based this on the critical stack implementation as well. > I provided the following fields: indicator, indicator_type, meta.source, > meta.desc, meta.do_notice. > thus a sample entry would be > 1.2.3.4 \t Intel::ADDR \t MY INTEL \t My bad IP list \t F > Per the documentation it should write all that into the intel.log file if > activated in the local.bro file > either using broctl or bro -i ens33 local.bro. There is no indication in > loaded scripts that the files loads. > Also in my local.bro file I include. > @load policy/frameworks/intel/seen > @load policy/frameworks/intel/do_notice > redef Intel::read_files += { "/usr/local/bro/upload/intel.dat"}; > Any help on debugging why this file is not loading or indication of if it is > loaded? -- This message was sent by Atlassian JIRA (v7.2.0-OD-02-009#72000) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev