[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 08:42:56 PST 2018


So I'm testing something completely unrelated to this issue, but I've
run into something interesting.  First off following this works: 

https://www.bro.org/current/solutions/intel/index.html 

my test intel-1.bro: 
@load frameworks/intel/seen

redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
}; 

my intel-1.dat file (whitespace=tab): 
#fields indicator indicator_type meta.source
fetchback.com Intel::DOMAIN my_special_source
yahoo.com Intel::DOMAIN testdomain 

I've carved out the dns request for fetchback.com from the exercise
packet capture, which I'm including.  Testing line below works just
fine: 

bro -C -r exercise-traffic-fetch-dns.pcap intel-1.bro 

I see lot's of good stuff: 
conn.log
1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53
udp dns 0.200354 31 99 SF - - 0 Dd 1 59 1 127 (empty)

dns.log
1258565309.806483       CVifWt1zc5YSG0Vhc9      192.168.1.103   53856  
192.168.1.1     53      udp     4438    0.200354        fetchback.com  
1       C_INTERNET      1       A       0       NOERROR F       F     
TT       0       69.71.52.52     1800.000000 F

intel.log
1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53
fetchback.com Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN
my_special_source - - -

however running against the included yahoodns.pcap here's what I get: 
conn.log 
1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53
udp dns 0.003246 31 124 SF - - 0 Dd 1 59 1 152 (empty)

dns.log 
1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53
udp 3285 0.003246 www.yahoo.com 1 C_INTERNET 1 A 0 NOERROR F F TT 0
atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43
1320.000000,39.000000,39.000000,39.000000,39.000000 F 

and no intel.log.  What's different here?  Would love to know what I'm
missing..thank you. 

James 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/8e89bdd0/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/vnd.tcpdump.pcap
Size: 295 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/8e89bdd0/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/vnd.tcpdump.pcap
Size: 274 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/8e89bdd0/attachment-0001.bin 


More information about the Bro mailing list