[Bro] Intel Framework Not Generating Intel Log

Jamie Gausemel jamie.gausemel at gmail.com
Wed Jun 18 12:21:57 PDT 2014 

I am running Bro 2.2 on Security Onion

==========================
sensor1 at sensor1:~/tmp$ sudo tail /opt/bro/share/bro/site/local.bro
#@load apt1

# Bro Intelligence Framework
@load frameworks/intel/seen
@load frameworks/intel/do_notice

# Load Intel Feeds For Bro Intelligence Framework
redef Intel::read_files += {
        "/opt/bro/intel_feeds/test.txt"
};

==========================

sensor1 at sensor1:~/tmp$ sudo cat /opt/bro/intel_feeds/test.txt
#fields indicator       indicator_type  meta.source
216.146.46.11   Intel::ADDR     jamie

==========================

sensor1 at sensor1:~/tmp$ sudo bro -r test.pcap local

generates the following logs:

capture_loss.log  conn.log  loaded_scripts.log  packet_filter.log
 reporter.log

==========================

reporter.log contains:

sensor1 at sensor1:~/tmp$ cat reporter.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   reporter
#open   2014-06-18-18-13-17
#fields ts      level   message location
#types  time    enum    string  string
0.000000        Reporter::WARNING       Template value remaining in BPFConf
filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf
 /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99
0.000000        Reporter::INFO  BPFConf filename set:
/etc/nsm/sensor1-eth1/bpf-bro.conf
/opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
0.000000        Reporter::INFO  BPFConf filename set:
/etc/nsm/sensor1-eth1/bpf-bro.conf
/opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
/usr/share/GeoIP/GeoIPCity.dat   (empty)
1403105006.674182       Reporter::INFO  Fell back to GeoIP Country database
    (empty)
1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
/usr/share/GeoIP/GeoIPCityv6.dat (empty)
#close  2014-06-18-18-13-17

==========================

test.pcap contains ICMP traffic to 216.146.46.11, and this traffic shows up
in conn.log; however, I am not getting the expected intel.log. The test.txt
is tab delimited, and was created with pico.

Any ideas? Are there other logs I can look at for clues? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140618/0bc12574/attachment.html

More information about the Bro mailing list