[Bro] Intel framework not working as expected

James Lay jlay at slave-tothe-box.net
Wed Jan 17 11:46:32 PST 2018

So I have a current working intel framework via this:


this works great and the intel feeds fire off in intel.log.  With a
couple minor tweaks, I modded the info here to make a newdomain.intel


>From my newdomain.intel (obfuscation added): 
#fields indicator indicator_type meta.source meta.url meta.do_notice
00009117[.]com Intel::DOMAIN newdomains - F -
0000dw[.]com Intel::DOMAIN newdomains - F -
0008[.]red Intel::DOMAIN newdomains - F - 

And my intel lines in local.bro: 
redef Intel::read_files += {


As I'm typing this I think I might have the answer, but now I have
another question :D  If a do a dns request for 0008[.]red I get: 

"2018-01-17T17:01:25+0000        Cn235WxlXKegS2qn4       x.x.x.x  61616 
 x.x.x.x    53      udp     4327    0.260124        000movies[.]com   1 
     C_INTERNET      1       A       0       NOERROR F       F       T  
    T       0       x.x.x.x 14400.000000    F" 

but nothing in the intel.log.  So...it appears that the intel framework
is using just active connections?  Which makes sense, but now, how would
I get bro to, in layman's terms: "bounce dns requests off of the intel
lists as well"?  Please let me know if I haven't explained this well
enough..thank you. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180117/fcaa8de0/attachment.html 

More information about the Bro mailing list