[Bro] Intel Framework Usage

Kim Halavakoski kim at blackcatsec.net
Mon Jun 9 11:33:13 PDT 2014

I had the same problem when I started using the Intel Framework and in my case it was a simple case of forgetting to install the configurations. Try running the following commands with broctl:

"broctl check && broctl install && broctl restart”

Run those and see if you get any hits when connecting to some known BAD IP-address from the lists you use, the intel.log should be created by Bro if there is match between the seen traffic and your Intel-feeds.

You can easily match against your own data, just remember to format the data with tab-separated values, just as outlined in http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html :

> Sample file output:
> #fields indicator       indicator_type  meta.source     meta.url        meta.do_notice  meta.if_in
> advanbusiness.com       Intel::DOMAIN   mandiant        -       F       -
> aoldaily.com    Intel::DOMAIN   mandiant        -       F       -
> aolon1ine.com   Intel::DOMAIN   mandiant        -       F       -
> applesoftupdate.com     Intel::DOMAIN   mandiant        -       F       -
> In the example above, mal-dns2bro reads in the mandiant list from stdin and sets the indicator type (``-T'') to DNS because the mandiant list consists of only DNS names. The source (``-s'') field is also set which is a short description of where the intelligence data came from.
> mal-dns2bro will add the necessary tab separated columns for the Intel Framework. It accepts a list of a specific indicator type, but supports all of them, with one entry per line. It can read from stdin or from a file (``-f''). If you don't want to use mal-dnssearch, you can create your own lists with a text editor or other program and have mal-dns2bro format them for Bro.

Kim Halavakoski
kim at blackcatsec.net

On 09 Jun 2014, at 21:14, Damon Rouse <damonrouse at gmail.com> wrote:

> Hi Everyone
> I'm still pretty new BRO and have a couple questions about the Intel framework and how to use/leverage it.  I've looked through the docs and have it loaded in local.bro file.  I don't see an intel.log in my current or my BRO archive logs (previous dates) directories.  Correct to assume this means that there have been no hits to the Intel framework?
> Secondly, is the Input framework the correct way to scan against intel data I have internally or obtain from other sources?  If so, do these text files need to be formatted a certain way like the pre-formatted feeds mentioned in the docs (mal-dns2bro and CIF)?
> Really appreciate the help...Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list