[Bro] Intel Framework troubleshooting tips?
Kim Halavakoski
kim at blackcatsec.net
Mon May 19 13:56:17 PDT 2014
Hello.
I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro:
# Load the Intel Framework to be used with mal-dnssearch for
# Threat Intelligence data analysis and correlation
# http://www.bro.org/sphinx-git/frameworks/intel.html
# http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
#
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/bro/feeds/alienvault.intel",
"/opt/bro/feeds/botcc.intel",
"/opt/bro/feeds/ciarmy.intel",
"/opt/bro/feeds/et_ips.intel",
"/opt/bro/feeds/malhosts.intel",
"/opt/bro/feeds/malips.intel",
"/opt/bro/feeds/mandiant.intel",
"/opt/bro/feeds/mayhemic.intel",
"/opt/bro/feeds/rbn.intel",
"/opt/bro/feeds/snort.intel",
"/opt/bro/feeds/tor.intel",
};
The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts.
[root at bro-anal01 feeds]# head alienvault.intel
#fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in
119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
I’ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various sources that should create intel matches and notice.log events but nothing Intel-related is logged:
[root at bro-anal01 logs]# ls -la current/intel.log
ls: cannot access current/intel.log: No such file or directory
[root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u
PacketFilter::Dropped_Packets
SSH::Password_Guessing
SSL::Invalid_Server_Cert
Scan::Address_Scan
[root at bro-anal01 bin]# ./bro -v
./bro version 2.2
What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github?
Kim Halavakoski - CISM
kim at blackcatsec.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/727ec443/attachment.html
More information about the Bro
mailing list