[Bro] [bro] Bro intelligence framework meta data issue.

Giedrius Ramas giedrius.ramas at gmail.com
Thu Jan 29 00:06:24 PST 2015


Thank you for writing me back . I have just tried your suggestion however
still no luck. Here what I have done :
My intel data file looks like:

#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
summitcpas.com/process/mbb/m2uAccountUpdate/M2ULoginsdo.html Intel::URL
phishing 85 phishtank.com

====================================
Here's what I get now on intel_ext.log


#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel_ext
#open 2015-01-29-07-58-01
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type
file_desc seen.indicator seen.indicator_type seen.where sources descriptions
#types time string addr port addr port string string string string enum enum
set[string] set[string]
1422518281.529553 CUZQFO0cVtr52M9zj 10.3.2.2 49789 64.207.177.234 80 - --
summitcpas.com/process/mbb/m2uAccountUpdate/M2ULoginsdo.html Intel::URL
HTTP::IN_URL phishtank.com phishing




Still missing meta.desc meta.cif_confidence meta.source  fields.

===========================================
Here is how my BRO config looks like.  local.bro


@load intel-ext

@load custom


===========================================

/opt/bro/share/bro/custom# cat custom.bro
redef record Intel::Info += {
        descriptions: set[string] &optional &log;
};

event Intel::extend_match(info: Intel::Info, s: Intel::Seen, items:
set[Intel::Item]) &priority=0
        {
        for ( item in items )
                {
                if ( ! info?$descriptions )
                        info$descriptions = set();

                add info$descriptions[item$meta$desc];
                }
        }



=============================================

cat loaded_scripts.log


/opt/bro/share/bro/intel-ext/__load__.bro
    /opt/bro/share/bro/intel-ext/scripts/main.bro
    /opt/bro/share/bro/intel-ext/scripts/extend.bro
    /opt/bro/share/bro/intel-ext/scripts/log.bro
  /opt/bro/share/bro/custom/__load__.bro
    /opt/bro/share/bro/custom/custom.bro








On Wed, Jan 28, 2015 at 10:46 PM, Seth Hall <seth at icir.org> wrote:

>
> > On Jan 22, 2015, at 9:44 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> wrote:
> >
> > So as you can see  there are any meta data fields on intel.log output.
> >
> > Please shed some light on this , Where should I look for troubleshooting
> ?
>
> Sorry about that.  When I designed the intel framework, I ran into a few
> conceptual issues that I just offset to a later date.  I have done some
> work to address the shortcoming and I’m hoping to get it merged back in for
> the 2.4 release.  I’ll give some guidance now if you’d like to work with it
> today…
>
> Clone this repository into your site/ directory…
>         cd <prefix>/share/bro/site/
>         git clone https://github.com/sethhall/intel-ext.git intel-ext
>
> Add the “intel-ext” module to your local.bro…
>         echo “@load intel-ext” >> local.bro
>
> Write and load a script that looks like this…
>
> ====script=====
> redef record Intel::Info += {
>         descriptions: set[string] &optional &log;
> };
>
> event Intel::extend_match(info: Intel::Info, s: Intel::Seen, items:
> set[Intel::Item]) &priority=0
>         {
>         for ( item in items )
>                 {
>                 if ( ! info?$descriptions )
>                         info$descriptions = set();
>
>                 add info$descriptions[item$meta$desc];
>                 }
>         }
> ====end script====
>
> This will add descriptions from all of your intel in a log named
> intel-ext.log.  Let me know if it works for you.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/e0b0a05f/attachment.html 


More information about the Bro mailing list