[Bro] two issues with the intel framework

John Babio jbabio at po-box.esu.edu
Sat Nov 23 11:01:05 PST 2013 

You guys had it. I went back in and redid the entire line with just tabs. I believe I had it this way but just to be certain I redid the entire file. Something must have through it off or was lingering in the original file. You guys are the best!
________________________________________
From: Bernhard Amann [bernhard at ICSI.Berkeley.EDU]
Sent: Saturday, November 23, 2013 10:50 AM
To: John Babio
Cc: Seth Hall; bro at bro.org
Subject: Re: [Bro] two issues with the intel framework

Just to check - are you a hundred percent sure that the first line of your
intel.txt file looks like…
#fields[tab]indicator[tab]indicator_type[tab]mata.source

Without any other characters in between, especially not using spaces
instead of tab?

>From the paste in your mail we are unable to tell if that is the case, but
the error message really sounds like there is some kind of problem with
that line in the input file.

Bernhard

On Nov 23, 2013, at 5:32 AM, John Babio <jbabio at po-box.esu.edu> wrote:

> Reporter.log
>
> #separator \x09
> #set_separator  ,
> #empty_field    (empty)
> #unset_field    -
> #path   reporter
> #open   2013-11-23-08-28-18
> #fields ts      level   message location
> #types  time    enum    string  string
> 1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Did not find requested field indicator in input data file /etc/bro/spool$
> 1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init: cannot open /etc/bro/spool/installed-scripts-do-not-touch/site/int$
> 1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init failed  (empty)
> 1385213298.936827       Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: terminating thread   (empty)
>
> /etc/bro/share/bro/site/intel.txt
>
> #fields         indicator       indicator_type          meta.source
> instagram.com   Intel::DOMAIN   my_special_source
>
> local.bro
>
> @load intel1.bro
>
> intel1.bro
>
> @load frameworks/intel/seen
>
> redef Intel::read_files += {
>       fmt("%s/intel1.txt", @DIR)
> };
>
>
>
>
>
>
>
>
> ________________________________________
> From: Bernhard Amann [bernhard at ICSI.Berkeley.EDU]
> Sent: Friday, November 22, 2013 9:14 PM
> To: Seth Hall
> Cc: John Babio; bro at bro.org
> Subject: Re: [Bro] two issues with the intel framework
>
> Also - check if the header fields are separated by tab characters and not by spaces.
> That might be the problem.
>
> Bernhard
> On Nov 22, 2013, at 6:05 PM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On Nov 22, 2013, at 8:26 PM, John Babio <jbabio at po-box.esu.edu> wrote:
>>
>>> The other error is "headers are incorrect". Any help would be appreciated. Thanks!
>>
>>
>> It's helpful to post exactly why errors you're seeing and exactly how you're configuring and running Bro (i.e., send the exact errors and send an example of something you can provide Bro to reproduce the error.
>>
>> Thanks,
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list