[Bro] Intel Framework Not Generating Intel Log

Doug Burks doug.burks at gmail.com
Sat Jun 21 13:10:55 PDT 2014


No, it's not supposed to show test.txt in loaded_scripts.log.

I duplicated your scenario and everything worked properly for me.

Is it possible you have a local.bro in your current directory (~/tmp)
that is overriding /opt/bro/share/bro/site/local.bro?

Have you tried something like this?
bro -r test.pcap /opt/bro/share/bro/site/local.bro

On Thu, Jun 19, 2014 at 10:17 AM, Jamie Gausemel
<jamie.gausemel at gmail.com> wrote:
> The Bro intel scripts show up in the log, but am I supposed to be seeing my
> test.txt feed?
>
> ==================
>
> sensor1 at sensor1:~$ cat /home/sensor1/tmp/loaded_scripts.log |grep intel
>   /opt/bro/share/bro/base/frameworks/intel/__load__.bro
>     /opt/bro/share/bro/base/frameworks/intel/main.bro
>     /opt/bro/share/bro/base/frameworks/intel/input.bro
>   /opt/bro/share/bro/policy/frameworks/intel/seen/__load__.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro
>       /opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro
>     /opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
>   /opt/bro/share/bro/policy/frameworks/intel/do_notice.bro
>
>
> On Thu, Jun 19, 2014 at 6:47 AM, Doug Burks <doug.burks at gmail.com> wrote:
>>
>> Hi Jamie,
>>
>> Take a look at loaded_scripts.log and verify that the intel framework
>> and your intel feed show up there.
>>
>> On Wed, Jun 18, 2014 at 3:21 PM, Jamie Gausemel
>> <jamie.gausemel at gmail.com> wrote:
>> > I am running Bro 2.2 on Security Onion
>> >
>> > ==========================
>> > sensor1 at sensor1:~/tmp$ sudo tail /opt/bro/share/bro/site/local.bro
>> > #@load apt1
>> >
>> > # Bro Intelligence Framework
>> > @load frameworks/intel/seen
>> > @load frameworks/intel/do_notice
>> >
>> > # Load Intel Feeds For Bro Intelligence Framework
>> > redef Intel::read_files += {
>> >         "/opt/bro/intel_feeds/test.txt"
>> > };
>> >
>> > ==========================
>> >
>> > sensor1 at sensor1:~/tmp$ sudo cat /opt/bro/intel_feeds/test.txt
>> > #fields indicator       indicator_type  meta.source
>> > 216.146.46.11   Intel::ADDR     jamie
>> >
>> > ==========================
>> >
>> > sensor1 at sensor1:~/tmp$ sudo bro -r test.pcap local
>> >
>> > generates the following logs:
>> >
>> > capture_loss.log  conn.log  loaded_scripts.log  packet_filter.log
>> > reporter.log
>> >
>> > ==========================
>> >
>> > reporter.log contains:
>> >
>> > sensor1 at sensor1:~/tmp$ cat reporter.log
>> > #separator \x09
>> > #set_separator  ,
>> > #empty_field    (empty)
>> > #unset_field    -
>> > #path   reporter
>> > #open   2014-06-18-18-13-17
>> > #fields ts      level   message location
>> > #types  time    enum    string  string
>> > 0.000000        Reporter::WARNING       Template value remaining in
>> > BPFConf
>> > filename: /etc/nsm/{{hostname}}-{{interface}}/bpf-bro.conf
>> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 99
>> > 0.000000        Reporter::INFO  BPFConf filename set:
>> > /etc/nsm/sensor1-eth1/bpf-bro.conf
>> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
>> > 0.000000        Reporter::INFO  BPFConf filename set:
>> > /etc/nsm/sensor1-eth1/bpf-bro.conf
>> > /opt/bro/share/bro/securityonion/./bpfconf.bro, line 103
>> > 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
>> > /usr/share/GeoIP/GeoIPCity.dat   (empty)
>> > 1403105006.674182       Reporter::INFO  Fell back to GeoIP Country
>> > database
>> > (empty)
>> > 1403105006.674182       Reporter::INFO  Failed to open GeoIP database:
>> > /usr/share/GeoIP/GeoIPCityv6.dat (empty)
>> > #close  2014-06-18-18-13-17
>> >
>> > ==========================
>> >
>> > test.pcap contains ICMP traffic to 216.146.46.11, and this traffic shows
>> > up
>> > in conn.log; however, I am not getting the expected intel.log. The
>> > test.txt
>> > is tab delimited, and was created with pico.
>> >
>> > Any ideas? Are there other logs I can look at for clues? Thanks.
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>> --
>> Doug Burks
>
>



-- 
Doug Burks



More information about the Bro mailing list