[Bro] Intel Framework Issues
dbora at isightpartners.com
Mon Nov 23 10:42:13 PST 2015
There are no errors as far as I can tell. I use a python script to generate my feeds but I also tried it on the mal-dnssearch feeds which are pre-formatted. In both cases, I am only successful on domains not IPs. Both have the same tab separation and header delineation.
From: Jan Grashofer <jan.grashofer at cern.ch<mailto:jan.grashofer at cern.ch>>
Date: Monday, November 23, 2015 at 12:53 PM
To: Disha Bora <dbora at isightpartners.com<mailto:dbora at isightpartners.com>>, "bro at bro.org<mailto:bro at bro.org>" <bro at bro.org<mailto:bro at bro.org>>
Subject: RE: Intel Framework Issues
for URLs there is an important detail I missed the first time, when I used the intel framework. The documentation says: Intel::URL - A complete URL _without_ the prefix "http://".
However, IPs worked for me without any problem. Did you see any errors in the logs regarding the intel-files you use? Depending on how you generate your feeds the intel linter (https://github.com/packetsled/bro_intel_linter) might be helpful for you.
From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [bro-bounces at bro.org<mailto:bro-bounces at bro.org>] on behalf of Disha Bora [dbora at isightpartners.com<mailto:dbora at isightpartners.com>]
Sent: Monday, November 23, 2015 18:12
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] Intel Framework Issues
I have been using Bro's intel framework to input my intelligence feed and get matches in intel.log. I seem to only be getting hits on domains but not IPs or URLs. I have also tried it on the mal-dnssearch feeds with the same results. Is there any particular reason why this would happen? How can I fix it?
Associate Product Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro