[Bro] bro exchange 2013 intel exercises
scott mcallester
scott at 0x4c.com
Sun May 18 22:39:57 PDT 2014
I'm trying to get the exercises from here
<http://www.bro.org/bro-exchange-2013/exercises/intel.html> going,
My intel.bro:
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
redef Intel::read_files += {
fmt("%s/intel.dat", @DIR)
};
My intel.dat:
#fields indicator indicator_type meta.source
fetchback.com Intel::DOMAIN my_special_source
I've double checked the tab spacing it all looks fine, but every time I
run this I receive this error:
bro -C -r exercise-traffic.pcap intel.bro
internal error: Value not found in enum mappimg. Module: GLOBAL, var: ,
var size: 0
Aborted (core dumped)
I also installed Bro 2.2 from source to my local machine(mint 13) and
get exactly the same error.
Any ideas?
And a follow up question for when I get this sorted:
If I have a txt file with a list of new-line separated IP's(~1500) from
malwaredomainlist.com, is this something the intel framework is suited
for? Or should I just stick to Snort's blacklist.rules or Suricata's
equivalent?
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/8d81c878/attachment.html
More information about the Bro
mailing list