[Bro] Intel framework troubleshooting on Bro 2.5

Hovsep Levi hovsep.sanjay.levi at gmail.com
Fri Oct 7 08:56:34 PDT 2016


Are there any tricks to use when debugging the Intel framework that would
show parsing errors ?

The problem we have is when combining multiple intel files one bad file
seems to corrupt the entire lot.


http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

Following that guide works fine, there are a number of intel hits on Tor
activity within minutes of restarting Bro.  When we add in the giant list
of intel from CriticalStack the Tor intel hits no longer trigger which
suggests an issue with that file.  Commenting out the tor.intel file sort
of narrows it down to the CriticalStack file but it also suggests that a
bad intel file somehow corrupts previously read files.  (they both use a
list of Tor exit nodes from the Suricata project.)

I've checked the files for correct headers, no spaces, and tab formatting
all which seem to be OK.


#---- from local.bro file ----#

@load frameworks/intel/seen
@load frameworks/intel/do_notice

# Load custom intel feed
@load local-intel.bro



#---- local-intel.bro file ------#

[bro at mgr /opt/bro]$ less /opt/bro/share/bro/site/local-intel.bro
const feed_directory = "/opt/bro/feeds";

redef Intel::read_files += {
#       feed_directory + "/tor.intel",
        feed_directory + "/critical-stack/master-public.bro.dat"
};



-Hovsep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161007/04817903/attachment.html 


More information about the Bro mailing list