[Bro] two issues with the intel framework

John Babio jbabio at po-box.esu.edu
Sat Nov 23 05:32:16 PST 2013


Reporter.log

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   reporter
#open   2013-11-23-08-28-18
#fields ts      level   message location
#types  time    enum    string  string
1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Did not find requested field indicator in input data file /etc/bro/spool$
1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init: cannot open /etc/bro/spool/installed-scripts-do-not-touch/site/int$
1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init failed  (empty)
1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: terminating thread   (empty)

/etc/bro/share/bro/site/intel.txt

#fields         indicator       indicator_type          meta.source
instagram.com   Intel::DOMAIN   my_special_source

local.bro

@load intel1.bro

intel1.bro

@load frameworks/intel/seen

redef Intel::read_files += {
        fmt("%s/intel1.txt", @DIR)
};








________________________________________
From: Bernhard Amann [bernhard at ICSI.Berkeley.EDU]
Sent: Friday, November 22, 2013 9:14 PM
To: Seth Hall
Cc: John Babio; bro at bro.org
Subject: Re: [Bro] two issues with the intel framework

Also - check if the header fields are separated by tab characters and not by spaces.
That might be the problem.

Bernhard
On Nov 22, 2013, at 6:05 PM, Seth Hall <seth at icir.org> wrote:

>
> On Nov 22, 2013, at 8:26 PM, John Babio <jbabio at po-box.esu.edu> wrote:
>
>> The other error is "headers are incorrect". Any help would be appreciated. Thanks!
>
>
> It's helpful to post exactly why errors you're seeing and exactly how you're configuring and running Bro (i.e., send the exact errors and send an example of something you can provide Bro to reproduce the error.
>
> Thanks,
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list