[Bro] Issues with intel framework

Azoff, Justin S jazoff at illinois.edu
Fri Sep 16 12:49:04 PDT 2016

> On Sep 16, 2016, at 2:59 PM, James Gordon <gordonjamesr at gmail.com> wrote:
> Thanks Justin!
> Adding an entry for www.reddit.com:443 seemed to do the trick. I’ll experiment with removing the port from the http-headers.bro file in a test environment so that we don’t have to add duplicate entries for all https sites. Unfortunately, I added another entry in the intel_domains.dat file for www.linux.com:443, and that still is not firing intel hits.

Is www.linux.com or www.linux.com:443 showing up anywhere?  It should be in at least some of the dns/http/ssl logs

> I have '@load intel' in my local.bro file, and I modified intel’s __load__.bro to include the new intel_domains.dat (as found in the original attachment). Is that all that should be necessary to load a new .dat into the intel framework? 

Don't modify any of the installed scripts.  If you want to load an additional intel file use

redef Intel::read_files += {

in your local.bro or another script that you load from your local.bro

To avoid hardcoding the full path you can use

redef Intel::read_files += {
	fmt("%s/filename.dat", @DIR)

> Also, thanks for explaining the way connections are alerted on! I see value in alerting on failed outbound connections that we’re suspicious about.
> This is probably a dumb question, but should I replace $bropath/policy/frameworks/intel/seen/conn-established.bro with a conn-attempted.bro, or will it be necessary to use both if I want to be alerted on both successful and attempted connections?
> Thanks again,
> James Gordon

You'll need both.  Create a intel-conn-attempted.bro file next to your local.bro and include the code there.

- Justin Azoff

More information about the Bro mailing list