[Bro] Threat Intelligence Management

Patrick Kelley pkelley at hyperionavenue.com
Mon Jun 29 16:52:50 PDT 2015


Any documentation available on exporting MISP into a BRO-friendly format?

On Mon, Jun 29, 2015 at 3:08 PM, Andrew Ratcliffe <
andrew.ratcliffe at nswcsystems.co.uk> wrote:

> Liam,
> Thanks for that. I think it is not loading. I’ll have another look at it.
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>
>
>
>
>
>
> On 29 Jun 2015, at 22:21, Liam Randall <liam.randall at gmail.com> wrote:
>
> Hey Andrew,
>
> After installing did you do a
>
> sudo broctl check
> sudo broctl install
> sudo broctl restart
>
> You only need to perform that once and the future updates will be included
> automatically.
>
> If you have included  'load misc/loaded-scripts' in your local.bro you
> will generate a loaded_scripts.log that you can use to verify that the
> scripts are running:
>
> less loaded_scripts.log | grep critical-stack
>   /opt/critical-stack/frameworks/intel/__load__.bro
>     /opt/critical-stack/frameworks/intel/feeds.bro
>
> If you'd like please feel free to open a support ticket and we can help
> you figure this out offline:
> https://criticalstack.zendesk.com/hc/en-us/requests/new
>
> V/r,
>
> Liam Randall
>
>
>
>
>
>
>
> On Mon, Jun 29, 2015 at 5:12 PM, Andrew Ratcliffe <
> andrew.ratcliffe at nswcsystems.co.uk> wrote:
>
>> Josh,
>> I tried a different one just so that it was current in the logs.
>>
>> cwihosting.com/emsp/data/getproductrequest.htm Intel::URL from
>> http://www.phishtank.com/phish_detail.php?phish_id=2479331 via
>> intel.criticalstack.com F
>> [root at bro intel]# cd /usr/local/bro/logs/current/
>> [root at bro current]# grep -l cwihosting.com *.log
>> dns.log
>> http.log
>> [root at bro current]# grep cwihosting.com http.log
>> 1435611906.514899 C31ZazNObk3xTTk86 172.31.254.179 51734 72.52.170.179 80
>> 1 GET cwihosting.com /emsp/data/getproductrequest.htm - curl/7.37.1 0
>> 18464 200 OK - - - (empty) - - - - - FdGgt336pWjZZn8MBa -
>> [root at bro current]#
>>
>>
>> Thanks
>>
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>>
>>
>>
>>
>>
>>
>> On 29 Jun 2015, at 21:35, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>>
>> Andy,
>>
>> If you still have these log files (or can generate them again), can
>> you share the line from http.log that contains the URL indicator?
>>
>> Thanks,
>> Josh
>>
>> On Sun, Jun 28, 2015 at 6:02 PM, Andrew Ratcliffe
>> <andrew.ratcliffe at nswcsystems.co.uk> wrote:
>>
>> Hi Josh,
>> Thanks for pointing that out. However, I still seem to have a problem:
>> www.etiksecimler.com/appraiser/ipad/ Intel::URL from
>> http://www.phishtank.com/phish_detail.php?phish_id=3266591 via
>> intel.criticalstack.com F
>> Use Curl to get the URL
>> Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/
>> Still no intel.log entry
>> [root at bro current]# grep -l www.etiksecimler.com *.log
>> dns.log
>> http.log
>>
>> # Critical Stack, Inc - https://intel.criticalstack.com
>> @load /opt/critical-stack/frameworks/intel
>> # Uncomment the following line to enable detection of the heartbleed
>> attack.
>> Enabling
>> # this might impact performance a bit.
>> # @load policy/protocols/ssl/heartbleed
>> @load conn-geoip2.bro
>> @load intel-2.bro
>> #@load bpf-filter.bro
>>
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>>
>>
>>
>>
>>
>>
>> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>>
>> Andy,
>>
>> By default the Intel framework only generates log entries for IP addresses
>> if the connection is a fully established TCP connection. That's probably
>> why
>> pinging an IP did not generate an entry.
>>
>> Josh
>>
>> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe
>> <andrew.ratcliffe at nswcsystems.co.uk>, wrote:
>>
>>
>> Hi,
>> I tried using criticalstack, as it sounds like a really cool idea. I just
>> can’t seem to get any events from it.
>>
>> Should events go to the notice.log or the intel.log?
>>
>> I tried a ping from an address present in the feed then looked for output
>> and I have conn.log ICMP entry and a syslog entry but nothing else.
>> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
>>
>> [root at bro current]# grep -l '89.106.121.76' *.log
>> conn.log
>> syslog.log
>>
>> 1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp
>> - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499
>> 43.990002
>>
>> I have some Intel loaded from CIF2 and that works OK, I use the test
>> event:
>> Andys-MacBook-Air:~ andy$ curl http://testmyids.com
>> uid=0(root) gid=0(root) groups=0(root)
>> intel.log
>> 1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53
>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53
>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - -
>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - -
>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154
>> 80 - - - testmyids.com Intel::DOMAIN HTTP::IN_HOST_HEADER Tester
>>
>> Am I doing something wrong?
>>
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>>
>>
>>
>>
>>
>>
>> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:
>>
>> No Critical Stack is entirely custom; we are not building a TIP.  We
>> wanted to have an easy way to have actionable into stream into bro as it
>> is
>> to discovered so we built it.  We thought others would want it as well so
>> we
>> make it freely available to the community.  We are getting ready to
>> launch a
>> new extension to it called KITTY- Keep Intel Transactions To Yourself that
>> allow you to privately share and deploy 100's of Millions of indicators
>> in a
>> fast memory efficient way.  It integrates directly with our online
>> marketplace- we deployed our first test clients this week.  We'll announce
>> more shortly @CriticalStack .
>>
>> For TIPs there are a lot of great solutions you should look at:
>>
>> Free:
>> MISP
>> CRITS
>>
>> Commercial:
>> Soltra Edge (has a free version)
>> ThreatConnect
>> ThreatStream
>> ThreatQ (ThreatQuotient)
>> BrightPoint Security (formerly Vorstack)
>>
>>
>> V/r,
>>
>> Liam Randall
>>
>>
>> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net
>> >
>> wrote:
>>
>>
>> Is critical stack based upon CIF (collective intelligence framework)?
>>
>> It looks very similar.
>>
>> Cheers,
>> Harry
>>
>>
>> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:
>>
>>
>> Hi
>>
>> I encourage you to have a look at, https://intel.criticalstack.com/
>>
>> Best,
>> Lysemose
>>
>> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch>
>> wrote:
>>
>>
>> Hi all,
>>
>> I am having a look at Threat Intelligence Management solutions, which
>> can be used with Bro. What do you use and what are your experiences?
>>
>> Regards,
>> Jan
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>>
>>
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

Patrick Kelley, CEH
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*

[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/9b603554/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/9b603554/attachment-0001.bin 


More information about the Bro mailing list