[Bro] Threat Intelligence Management

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Mon Jun 29 14:12:49 PDT 2015


Josh,
I tried a different one just so that it was current in the logs.

cwihosting.com/emsp/data/getproductrequest.htm	Intel::URL	from http://www.phishtank.com/phish_detail.php?phish_id=2479331 via intel.criticalstack.com	F
[root at bro intel]# cd /usr/local/bro/logs/current/
[root at bro current]# grep -l cwihosting.com *.log
dns.log
http.log
[root at bro current]# grep cwihosting.com http.log
1435611906.514899	C31ZazNObk3xTTk86	172.31.254.179	51734	72.52.170.179	80	1	GET	cwihosting.com	/emsp/data/getproductrequest.htm	-	curl/7.37.1	0	18464	200	OK	-	-	-	(empty)	-	-	-	-	-	FdGgt336pWjZZn8MBa	-
[root at bro current]#


Thanks

Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>






> On 29 Jun 2015, at 21:35, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> 
> Andy,
> 
> If you still have these log files (or can generate them again), can
> you share the line from http.log that contains the URL indicator?
> 
> Thanks,
> Josh
> 
> On Sun, Jun 28, 2015 at 6:02 PM, Andrew Ratcliffe
> <andrew.ratcliffe at nswcsystems.co.uk> wrote:
>> Hi Josh,
>> Thanks for pointing that out. However, I still seem to have a problem:
>> www.etiksecimler.com/appraiser/ipad/ Intel::URL from
>> http://www.phishtank.com/phish_detail.php?phish_id=3266591 via
>> intel.criticalstack.com F
>> Use Curl to get the URL
>> Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/
>> Still no intel.log entry
>> [root at bro current]# grep -l www.etiksecimler.com *.log
>> dns.log
>> http.log
>> 
>> # Critical Stack, Inc - https://intel.criticalstack.com
>> @load /opt/critical-stack/frameworks/intel
>> # Uncomment the following line to enable detection of the heartbleed attack.
>> Enabling
>> # this might impact performance a bit.
>> # @load policy/protocols/ssl/heartbleed
>> @load conn-geoip2.bro
>> @load intel-2.bro
>> #@load bpf-filter.bro
>> 
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>> Blog.InfoSecMatters.net
>> 
>> 
>> 
>> 
>> 
>> 
>> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>> 
>> Andy,
>> 
>> By default the Intel framework only generates log entries for IP addresses
>> if the connection is a fully established TCP connection. That's probably why
>> pinging an IP did not generate an entry.
>> 
>> Josh
>> 
>> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe
>> <andrew.ratcliffe at nswcsystems.co.uk>, wrote:
>>> 
>>> Hi,
>>> I tried using criticalstack, as it sounds like a really cool idea. I just
>>> can’t seem to get any events from it.
>>> 
>>> Should events go to the notice.log or the intel.log?
>>> 
>>> I tried a ping from an address present in the feed then looked for output
>>> and I have conn.log ICMP entry and a syslog entry but nothing else.
>>> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
>>> 
>>> [root at bro current]# grep -l '89.106.121.76' *.log
>>> conn.log
>>> syslog.log
>>> 
>>> 1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp
>>> - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499
>>> 43.990002
>>> 
>>> I have some Intel loaded from CIF2 and that works OK, I use the test
>>> event:
>>> Andys-MacBook-Air:~ andy$ curl http://testmyids.com
>>> uid=0(root) gid=0(root) groups=0(root)
>>> intel.log
>>> 1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53
>>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>>> 1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53
>>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>>> 1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - -
>>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>>> 1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - -
>>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>>> 1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154
>>> 80 - - - testmyids.com Intel::DOMAIN HTTP::IN_HOST_HEADER Tester
>>> 
>>> Am I doing something wrong?
>>> 
>>> Kind regards,
>>> Andy
>>> Andrew.Ratcliffe at NSWCSystems.co.uk
>>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>>> Blog.InfoSecMatters.net
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:
>>> 
>>> No Critical Stack is entirely custom; we are not building a TIP.  We
>>> wanted to have an easy way to have actionable into stream into bro as it is
>>> to discovered so we built it.  We thought others would want it as well so we
>>> make it freely available to the community.  We are getting ready to launch a
>>> new extension to it called KITTY- Keep Intel Transactions To Yourself that
>>> allow you to privately share and deploy 100's of Millions of indicators in a
>>> fast memory efficient way.  It integrates directly with our online
>>> marketplace- we deployed our first test clients this week.  We'll announce
>>> more shortly @CriticalStack .
>>> 
>>> For TIPs there are a lot of great solutions you should look at:
>>> 
>>> Free:
>>> MISP
>>> CRITS
>>> 
>>> Commercial:
>>> Soltra Edge (has a free version)
>>> ThreatConnect
>>> ThreatStream
>>> ThreatQ (ThreatQuotient)
>>> BrightPoint Security (formerly Vorstack)
>>> 
>>> 
>>> V/r,
>>> 
>>> Liam Randall
>>> 
>>> 
>>> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net>
>>> wrote:
>>>> 
>>>> Is critical stack based upon CIF (collective intelligence framework)?
>>>> 
>>>> It looks very similar.
>>>> 
>>>> Cheers,
>>>> Harry
>>>> 
>>>> 
>>>> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:
>>>>> 
>>>>> Hi
>>>>> 
>>>>> I encourage you to have a look at, https://intel.criticalstack.com/
>>>>> 
>>>>> Best,
>>>>> Lysemose
>>>>> 
>>>>> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch>
>>>>> wrote:
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> I am having a look at Threat Intelligence Management solutions, which
>>>>>> can be used with Bro. What do you use and what are your experiences?
>>>>>> 
>>>>>> Regards,
>>>>>> Jan
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> 
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> 
>>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/121bcdfc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/121bcdfc/attachment-0001.bin 


More information about the Bro mailing list