[Bro] Bro Intel Framework troubleshooting?
Jon Schipp
jonschipp at gmail.com
Mon May 19 15:41:57 PDT 2014
Did you put the configuration into effect? e.g. ``broctl check && broctl
install && broctl restart''
Also, what's the output of ``tail -1 alienvault.intel | hexdump -c''?
On Mon, May 19, 2014 at 3:57 PM, Kim Halavakoski <kim at blackcatsec.net>wrote:
> Hello.
> I am running Bro 2.2 from RPM downloaded from Bro.org and recently got
> interested in enabling the Intel Framework when I watched Liam Randalls
> talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
> I have downloaded mal-dnssearch and mal-dns2bro scripts and have
> downloaded all of the feeds to /opt/bro/feeds and enabled the intel
> framework in /opt/bro/share/bro/site/local.bro:
>
> # Load the Intel Framework to be used with mal-dnssearch for
> # Threat Intelligence data analysis and correlation
> # http://www.bro.org/sphinx-git/frameworks/intel.html
> # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
> #
>
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
>
> redef Intel::read_files += {
> "/opt/bro/feeds/alienvault.intel",
> "/opt/bro/feeds/botcc.intel",
> "/opt/bro/feeds/ciarmy.intel",
> "/opt/bro/feeds/et_ips.intel",
> "/opt/bro/feeds/malhosts.intel",
> "/opt/bro/feeds/malips.intel",
> "/opt/bro/feeds/mandiant.intel",
> "/opt/bro/feeds/mayhemic.intel",
> "/opt/bro/feeds/rbn.intel",
> "/opt/bro/feeds/snort.intel",
> "/opt/bro/feeds/tor.intel",
> };
>
>
> The various intel files follow the format and fields are separated by tabs
> and the files have been downloaded with mal-dnssearch and inte files
> created with mal-dns2bro scripts.
>
> [root at bro-anal01 feeds]# head alienvault.intel
> #fields indicator indicator_type meta.source meta.url meta.do_notice
> meta.if_in
> 119.60.12.102 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 37.205.198.162 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 182.131.22.235 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 58.250.71.43 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 211.160.19.250 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 176.215.86.120 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 203.121.165.16 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 211.151.57.196 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
> 108.59.1.5 Intel::ADDR alienvault
> http://reputation.alienvault.com/reputation.generic T -
>
> I’ve restarted Bro and I am not seeing any Intel-events and the intel.log
> has not been created and no intel logs are logged in notice.log? I have
> created traffic towards some of the IP-addresses listed in the various i
>
> [root at bro-anal01 logs]# ls -la current/intel.log
> ls: cannot access current/intel.log: No such file or directory
> [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u
> PacketFilter::Dropped_Packets
> SSH::Password_Guessing
> SSL::Invalid_Server_Cert
> Scan::Address_Scan
>
> [root at bro-anal01 bin]# ./bro -v
> ./bro version 2.2
>
> What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM
> downloaded from bro.org) and Intel framework is only supported on the
> bleeding-edge Bro from github?
>
> *Kim Halavakoski - CISM*
> kim at blackcatsec.net
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon Schipp,
jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/209f6429/attachment.html
More information about the Bro
mailing list