[Bro] Intel.log wrong format

Azoff, Justin S jazoff at illinois.edu
Tue Jan 24 08:02:53 PST 2017

The log is fine, I think you're just looking at the wrong columns.  Try piping the log file to this alias, and you'll see that the fields line up the way they are supposed to.

alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"

- Justin Azoff

> On Jan 24, 2017, at 10:39 AM, -- Rodrigo Kroll -- <rodrigokroll at gmail.com> wrote:
> Good morning guys,
> I'm using the INTEL bro framework successfully. I'm having a hard time to understand why inside my intel.log file, the information "Intel::ADDR" is showing twice. In identified by the fields "seen.indicator_type" and "matched sources".
> Which seems wrong, in my understanding matched sources should've been identified by the text "Bad Reputation Domain", which is actually end up being identified as the field "fuid".
> A log sample is below:
> root at BroTest:~# zcat /usr/local/bro/logs/2017-01-23/intel.13\:00\:00-14\:00\:00.log.gz
> #separator \x09
> #set_separator  ,
> #empty_field    (empty)
> #unset_field    -
> #path   intel
> #open   2017-01-23-13-01-54
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       seen.indicator  seen.indicator_type     seen.where      seen.node       matched sources fuid    file_mime_type  file_desc
> #types  time    string  addr    port    addr    port    string  enum    enum    string  set[enum]       set[string]     string  string  string
> 1485194513.356126       CVmspB2e68PB5ZiXU5     47712   XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP   bro     Intel::ADDR     Bad Reputation Domain   -       -       -

More information about the Bro mailing list