[Bro] Intel Framework Not Generating Intel Log

Doug Burks doug.burks at gmail.com
Thu Jun 19 03:47:56 PDT 2014


Hi Jamie,

Take a look at loaded_scripts.log and verify that the intel framework
and your intel feed show up there.

On Wed, Jun 18, 2014 at 3:21 PM, Jamie Gausemel
<jamie.gausemel at gmail.com> wrote:
> I am running Bro 2.2 on Security Onion
>
> ==========================
> sensor1 at sensor1:~/tmp$ sudo tail /opt/bro/share/bro/site/local.bro
> #@load apt1
>
> # Bro Intelligence Framework
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
>
> # Load Intel Feeds For Bro Intelligence Framework
> redef Intel::read_files += {
>         "/opt/bro/intel_feeds/test.txt"
> };
>
> ==========================
>
> sensor1 at sensor1:~/tmp$ sudo cat /opt/bro/intel_feeds/test.txt
> #fields indicator       indicator_type  meta.source
> 216.146.46.11   Intel::ADDR     jamie
>
> ==========================
>
> sensor1 at sensor1:~/tmp$ sudo bro -r test.pcap local
>
> generates the following logs:
>
> capture_loss.log  conn.log  loaded_scripts.log  packet_filter.log
> reporter.log
>
> ==========================
>
> reporter.log contains:
>
> sensor1 at sensor1:~/tmp$ cat reporter.log
> #separator \x09
> #set_separator  ,
> #empty_field    (empty)
> #unset_field    -
> #path   reporter
> #open   2014-06-18-18-13-17
> #fields ts      level   message location
> #types  time    enum    string  string
> 0.000000        Reporter::WARNING       Template value remaining in BPFConf
> filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf
> /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99
> 0.000000        Reporter::INFO  BPFConf filename set:
> /etc/nsm/sensor1-eth1/bpf-bro.conf
> /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
> 0.000000        Reporter::INFO  BPFConf filename set:
> /etc/nsm/sensor1-eth1/bpf-bro.conf
> /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
> 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
> /usr/share/GeoIP/GeoIPCity.dat   (empty)
> 1403105006.674182       Reporter::INFO  Fell back to GeoIP Country database
> (empty)
> 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
> /usr/share/GeoIP/GeoIPCityv6.dat (empty)
> #close  2014-06-18-18-13-17
>
> ==========================
>
> test.pcap contains ICMP traffic to 216.146.46.11, and this traffic shows up
> in conn.log; however, I am not getting the expected intel.log. The test.txt
> is tab delimited, and was created with pico.
>
> Any ideas? Are there other logs I can look at for clues? Thanks.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks



More information about the Bro mailing list