[Bro] bro exchange 2013 intel exercises

Josh Liburdi liburdi.joshua at gmail.com
Mon May 19 05:34:53 PDT 2014


Haven't run into your first question before, but to answer the second ... yes, the Intel framework is suited for IP addresses. Can't speak for Suricata, but Bro will natively find IP addresses in more places than Snort does. 


-Josh






On Mon, May 19, 2014 at 1:56 AM, scott mcallester <scott at 0x4c.com="mailto:scott at 0x4c.com">> wrote:
I'm trying to get the exercises from here going, 

 My intel.bro:
@load policy/frameworks/intel/seen
 @load policy/frameworks/intel/do_notice

 redef Intel::read_files += {
   fmt("%s/intel.dat", @DIR)
 };


 My intel.dat:
#fields    indicator    indicator_type    meta.source
 fetchback.com        Intel::DOMAIN    my_special_source

 I've double checked the tab spacing it all looks fine, but every time I run this I receive this error:
bro -C -r exercise-traffic.pcap intel.bro 
 internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0
 Aborted (core dumped)

I also installed Bro 2.2 from source to my local machine(mint 13) and get exactly the same error.
 Any ideas?




 And a follow up question for when I get this sorted:
 If I have a txt file with a list of new-line separated IP's(~1500) from malwaredomainlist.com, is this something the intel framework is suited for? Or should I just stick to Snort's blacklist.rules or Suricata's equivalent?

 Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/81794625/attachment.html 


More information about the Bro mailing list