[Bro] Intel Framework Not Generating Intel Log

Jamie Gausemel jamie.gausemel at gmail.com
Thu Jun 19 07:17:19 PDT 2014 

The Bro intel scripts show up in the log, but am I supposed to be seeing my
test.txt feed?

==================

sensor1 at sensor1:~$ cat /home/sensor1/tmp/loaded_scripts.log |grep intel
  /opt/bro/share/bro/base/frameworks/intel/__load__.bro
    /opt/bro/share/bro/base/frameworks/intel/main.bro
    /opt/bro/share/bro/base/frameworks/intel/input.bro
  /opt/bro/share/bro/policy/frameworks/intel/seen/__load__.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro
      /opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro
    /opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
  /opt/bro/share/bro/policy/frameworks/intel/do_notice.bro


On Thu, Jun 19, 2014 at 6:47 AM, Doug Burks <doug.burks at gmail.com> wrote:

> Hi Jamie,
>
> Take a look at loaded_scripts.log and verify that the intel framework
> and your intel feed show up there.
>
> On Wed, Jun 18, 2014 at 3:21 PM, Jamie Gausemel
> <jamie.gausemel at gmail.com> wrote:
> > I am running Bro 2.2 on Security Onion
> >
> > ==========================
> > sensor1 at sensor1:~/tmp$ sudo tail /opt/bro/share/bro/site/local.bro
> > #@load apt1
> >
> > # Bro Intelligence Framework
> > @load frameworks/intel/seen
> > @load frameworks/intel/do_notice
> >
> > # Load Intel Feeds For Bro Intelligence Framework
> > redef Intel::read_files += {
> >         "/opt/bro/intel_feeds/test.txt"
> > };
> >
> > ==========================
> >
> > sensor1 at sensor1:~/tmp$ sudo cat /opt/bro/intel_feeds/test.txt
> > #fields indicator       indicator_type  meta.source
> > 216.146.46.11   Intel::ADDR     jamie
> >
> > ==========================
> >
> > sensor1 at sensor1:~/tmp$ sudo bro -r test.pcap local
> >
> > generates the following logs:
> >
> > capture_loss.log  conn.log  loaded_scripts.log  packet_filter.log
> > reporter.log
> >
> > ==========================
> >
> > reporter.log contains:
> >
> > sensor1 at sensor1:~/tmp$ cat reporter.log
> > #separator \x09
> > #set_separator  ,
> > #empty_field    (empty)
> > #unset_field    -
> > #path   reporter
> > #open   2014-06-18-18-13-17
> > #fields ts      level   message location
> > #types  time    enum    string  string
> > 0.000000        Reporter::WARNING       Template value remaining in
> BPFConf
> > filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf
> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99
> > 0.000000        Reporter::INFO  BPFConf filename set:
> > /etc/nsm/sensor1-eth1/bpf-bro.conf
> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
> > 0.000000        Reporter::INFO  BPFConf filename set:
> > /etc/nsm/sensor1-eth1/bpf-bro.conf
> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
> > 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
> > /usr/share/GeoIP/GeoIPCity.dat   (empty)
> > 1403105006.674182       Reporter::INFO  Fell back to GeoIP Country
> database
> > (empty)
> > 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
> > /usr/share/GeoIP/GeoIPCityv6.dat (empty)
> > #close  2014-06-18-18-13-17
> >
> > ==========================
> >
> > test.pcap contains ICMP traffic to 216.146.46.11, and this traffic shows
> up
> > in conn.log; however, I am not getting the expected intel.log. The
> test.txt
> > is tab delimited, and was created with pico.
> >
> > Any ideas? Are there other logs I can look at for clues? Thanks.
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Doug Burks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140619/2f26f85b/attachment.html

More information about the Bro mailing list