[Bro] CIF and Bro Integration

Tom OBrion hammadog at gmail.com
Sun Mar 30 06:14:51 PDT 2014


Thanks all for who responded.

Just to update everyone on this.   When they say RTFM,  this the case 
for me.   I tried to fumble my way through all this and I should have 
just sat back and read some good posts and documentation.  The following 
two links really points you in the right direction.

#1
http://www.bro.org/bro-exchange-2013/exercises/intel.html

This exercise says it all and makes it very easy to understand.  The CIF 
integration is also pretty easy with this post.

#2
http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html

Pretty darn nice implementation for pulling external Intel as well as 
defining your own.

Love BRO, Its wicked!

Tom


On 03/26/2014 10:37 PM, Jon Schipp wrote:
> If you don't want to upgrade, you can replace that Bro.pm file with 
> this newer one:
> https://github.com/csirtgadgets/iodef-pb-simple-perl/blob/master/lib/Iodef/Pb/Format/Bro.pm 
> <https://github.com/csirtgadgets/iodef-pb-simple-perl/blob/master/lib/Iodef/Pb/Format/Bro.pm>
>
>
> On Wed, Mar 26, 2014 at 9:08 PM, Tom OBrion <hammadog at gmail.com 
> <mailto:hammadog at gmail.com>> wrote:
>
>     Update.
>
>     Well in looking at the DOC on the BRO site.   I must have a
>     different version of CIF causing the BRO plugin to format my feed
>     differently.
>
>     Tom
>
>
>     On Wed, Mar 26, 2014 at 9:46 PM, Bernhard Amann
>     <bernhard at icsi.berkeley.edu <mailto:bernhard at icsi.berkeley.edu>>
>     wrote:
>
>
>         On Mar 26, 2014, at 6:14 PM, Jon Schipp <jonschipp at gmail.com
>         <mailto:jonschipp at gmail.com>> wrote:
>
>         > I'm not so certain anymore ;)
>         > It looks like you're right [1] that the mode is set to
>         REREAD [1].
>         > Though, I'm pretty sure that I've read in the documentation
>         that a restart is required for the removal of items.
>         > Maybe that was a mistake. Oh well.
>
>         You are right about that. Even though reread supports the
>         removal of items,
>         the current way in which it is used in the intelligence
>         framework does not seem to.
>
>         I have to ask Seth why that is the case - it should be easy to
>         change this.
>
>         Bernhard
>         _______________________________________________
>         Bro mailing list
>         bro at bro-ids.org <mailto:bro at bro-ids.org>
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
>     -- 
>
>     Tom O'Brion
>     Twitter: @tobrion
>     Skype: TomOBrion
>
>     "Life is too short to spend time with people who suck the happy
>     out of you."
>
>     View Tom OBrion's profile on LinkedIn
>     <http://www.linkedin.com/in/tomobrion>
>
>
>
>
>
> -- 
> Jon Schipp,
> jonschipp.com <http://jonschipp.com>, sickbits.net <http://sickbits.net>

-- 
Tom O'Brion
Twitter: @tobrion
Skype: TomOBrion

"Life is too short to spend time with people who suck the happy out of you."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140330/fe080085/attachment.html 


More information about the Bro mailing list