[Bro] Intel.log wrong format
Azoff, Justin S
jazoff at illinois.edu
Tue Jan 24 08:02:53 PST 2017
The log is fine, I think you're just looking at the wrong columns. Try piping the log file to this alias, and you'll see that the fields line up the way they are supposed to.
alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"
- Justin Azoff
> On Jan 24, 2017, at 10:39 AM, -- Rodrigo Kroll -- <rodrigokroll at gmail.com> wrote:
> Good morning guys,
> I'm using the INTEL bro framework successfully. I'm having a hard time to understand why inside my intel.log file, the information "Intel::ADDR" is showing twice. In identified by the fields "seen.indicator_type" and "matched sources".
> Which seems wrong, in my understanding matched sources should've been identified by the text "Bad Reputation Domain", which is actually end up being identified as the field "fuid".
> A log sample is below:
> root at BroTest:~# zcat /usr/local/bro/logs/2017-01-23/intel.13\:00\:00-14\:00\:00.log.gz
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path intel
> #open 2017-01-23-13-01-54
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
> #types time string addr port addr port string enum enum string set[enum] set[string] string string string
> 1485194513.356126 CVmspB2e68PB5ZiXU5 192.168.1.3 47712 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
More information about the Bro