[Bro] two issues with the intel framework
John Babio
jbabio at po-box.esu.edu
Sat Nov 23 05:32:16 PST 2013
Reporter.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#open 2013-11-23-08-28-18
#fields ts level message location
#types time enum string string
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Did not find requested field indicator in input data file /etc/bro/spool$
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init: cannot open /etc/bro/spool/installed-scripts-do-not-touch/site/int$
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init failed (empty)
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: terminating thread (empty)
/etc/bro/share/bro/site/intel.txt
#fields indicator indicator_type meta.source
instagram.com Intel::DOMAIN my_special_source
local.bro
@load intel1.bro
intel1.bro
@load frameworks/intel/seen
redef Intel::read_files += {
fmt("%s/intel1.txt", @DIR)
};
________________________________________
From: Bernhard Amann [bernhard at ICSI.Berkeley.EDU]
Sent: Friday, November 22, 2013 9:14 PM
To: Seth Hall
Cc: John Babio; bro at bro.org
Subject: Re: [Bro] two issues with the intel framework
Also - check if the header fields are separated by tab characters and not by spaces.
That might be the problem.
Bernhard
On Nov 22, 2013, at 6:05 PM, Seth Hall <seth at icir.org> wrote:
>
> On Nov 22, 2013, at 8:26 PM, John Babio <jbabio at po-box.esu.edu> wrote:
>
>> The other error is "headers are incorrect". Any help would be appreciated. Thanks!
>
>
> It's helpful to post exactly why errors you're seeing and exactly how you're configuring and running Bro (i.e., send the exact errors and send an example of something you can provide Bro to reproduce the error.
>
> Thanks,
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list