[Bro] [bro] Bro intelligence framework meta data issue.

Seth Hall seth at icir.org
Wed Jan 28 12:46:19 PST 2015


> On Jan 22, 2015, at 9:44 AM, Giedrius Ramas <giedrius.ramas at gmail.com> wrote:
> 
> So as you can see  there are any meta data fields on intel.log output. 
> 
> Please shed some light on this , Where should I look for troubleshooting ?

Sorry about that.  When I designed the intel framework, I ran into a few conceptual issues that I just offset to a later date.  I have done some work to address the shortcoming and I’m hoping to get it merged back in for the 2.4 release.  I’ll give some guidance now if you’d like to work with it today…

Clone this repository into your site/ directory…
	cd <prefix>/share/bro/site/
	git clone https://github.com/sethhall/intel-ext.git intel-ext

Add the “intel-ext” module to your local.bro…
	echo “@load intel-ext” >> local.bro

Write and load a script that looks like this…

====script=====
redef record Intel::Info += {
	descriptions: set[string] &optional &log;
};

event Intel::extend_match(info: Intel::Info, s: Intel::Seen, items: set[Intel::Item]) &priority=0
	{
	for ( item in items )
		{
		if ( ! info?$descriptions )
			info$descriptions = set();

		add info$descriptions[item$meta$desc];
		}
	}
====end script====

This will add descriptions from all of your intel in a log named intel-ext.log.  Let me know if it works for you.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list