[Bro] Intel Framework Usage
kim at blackcatsec.net
Mon Jun 9 11:33:13 PDT 2014
I had the same problem when I started using the Intel Framework and in my case it was a simple case of forgetting to install the configurations. Try running the following commands with broctl:
"broctl check && broctl install && broctl restart”
Run those and see if you get any hits when connecting to some known BAD IP-address from the lists you use, the intel.log should be created by Bro if there is match between the seen traffic and your Intel-feeds.
You can easily match against your own data, just remember to format the data with tab-separated values, just as outlined in http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html :
> Sample file output:
> #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in
> advanbusiness.com Intel::DOMAIN mandiant - F -
> aoldaily.com Intel::DOMAIN mandiant - F -
> aolon1ine.com Intel::DOMAIN mandiant - F -
> applesoftupdate.com Intel::DOMAIN mandiant - F -
> In the example above, mal-dns2bro reads in the mandiant list from stdin and sets the indicator type (``-T'') to DNS because the mandiant list consists of only DNS names. The source (``-s'') field is also set which is a short description of where the intelligence data came from.
> mal-dns2bro will add the necessary tab separated columns for the Intel Framework. It accepts a list of a specific indicator type, but supports all of them, with one entry per line. It can read from stdin or from a file (``-f''). If you don't want to use mal-dnssearch, you can create your own lists with a text editor or other program and have mal-dns2bro format them for Bro.
kim at blackcatsec.net
On 09 Jun 2014, at 21:14, Damon Rouse <damonrouse at gmail.com> wrote:
> Hi Everyone
> I'm still pretty new BRO and have a couple questions about the Intel framework and how to use/leverage it. I've looked through the docs and have it loaded in local.bro file. I don't see an intel.log in my current or my BRO archive logs (previous dates) directories. Correct to assume this means that there have been no hits to the Intel framework?
> Secondly, is the Input framework the correct way to scan against intel data I have internally or obtain from other sources? If so, do these text files need to be formatted a certain way like the pre-formatted feeds mentioned in the docs (mal-dns2bro and CIF)?
> Really appreciate the help...Thanks!
> Bro mailing list
> bro at bro-ids.org
More information about the Bro