[Bro] Intel Framework Issues

Patrick Kelley pkelley at hyperionavenue.com
Mon Nov 23 11:20:15 PST 2015


This is true.  I had to write a new script that will match for uncompleted
connections.

However and as you might expect, it is costly with performance.

On Mon, Nov 23, 2015 at 10:47 AM, Josh Liburdi <liburdi.joshua at gmail.com>
wrote:

> I think the most common gotcha for IP addresses is that they will only
> appear in intel.log when they are a part of a successful TCP connection.
> Unsuccessful TCP connections and non-TCP connections will not appear in the
> log.
>
> Josh
>
> On Nov 23, 2015, at 12:53 PM, Jan Grashofer <jan.grashofer at cern.ch> wrote:
>
> Hi,
>
>
> for URLs there is an important detail I missed the first time, when I used
> the intel framework. The documentation says: Intel::URL - A complete URL
> _without_ the prefix "http://".
>
>
> However, IPs worked for me without any problem. Did you see any errors in
> the logs regarding the intel-files you use? Depending on how you generate
> your feeds the intel linter (
> https://github.com/packetsled/bro_intel_linter) might be helpful for you.
>
>
> Best regards,
> Jan
>
>
> ------------------------------
> *From:* bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Disha Bora
> [dbora at isightpartners.com]
> *Sent:* Monday, November 23, 2015 18:12
> *To:* bro at bro.org
> *Subject:* [Bro] Intel Framework Issues
>
> Hi,
>
> I have been using Bro's intel framework to input my intelligence feed and
> get matches in intel.log. I seem to only be getting hits on domains but not
> IPs or URLs. I have also tried it on the mal-dnssearch feeds with the same
> results. Is there any particular reason why this would happen? How can I
> fix it?
>
> Thanks!
>
> Disha Bora
> Associate Product Manager
> iSIGHT Partners
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

Patrick Kelley, CEH
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*

[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151123/a1c027fa/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151123/a1c027fa/attachment-0001.bin 


More information about the Bro mailing list