[Bro] Bro Intel Framework troubleshooting?
Kim Halavakoski
kim at blackcatsec.net
Tue May 20 07:33:14 PDT 2014
Hi,
Thanks that works now!
I "forgot" the broctl install command and have just restarted bro hoping it would pick up the config changes...
Is there any way of getting anither variable from the intel file and using it as some kind of tpe/classifier? In the Alienvault example the IP-address comes with a type like "Scanning host", "Malware domain" etc.
How can I use thst field in the Intel file so that I know what kind of threat it is?
Best regards,
Kim Halavakoski
kim at blackcatsec.net
Sent from my mobile device, excuse my clawfingerness!
> On 20 maj 2014, at 01:41, Jon Schipp <jonschipp at gmail.com> wrote:
>
> Did you put the configuration into effect? e.g. ``broctl check && broctl install && broctl restart''
>
> Also, what's the output of ``tail -1 alienvault.intel | hexdump -c''?
>
>
>> On Mon, May 19, 2014 at 3:57 PM, Kim Halavakoski <kim at blackcatsec.net> wrote:
>> Hello.
>> I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
>> I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro:
>>
>> # Load the Intel Framework to be used with mal-dnssearch for
>> # Threat Intelligence data analysis and correlation
>> # http://www.bro.org/sphinx-git/frameworks/intel.html
>> # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>> #
>>
>> @load frameworks/intel/seen
>> @load frameworks/intel/do_notice
>>
>> redef Intel::read_files += {
>> "/opt/bro/feeds/alienvault.intel",
>> "/opt/bro/feeds/botcc.intel",
>> "/opt/bro/feeds/ciarmy.intel",
>> "/opt/bro/feeds/et_ips.intel",
>> "/opt/bro/feeds/malhosts.intel",
>> "/opt/bro/feeds/malips.intel",
>> "/opt/bro/feeds/mandiant.intel",
>> "/opt/bro/feeds/mayhemic.intel",
>> "/opt/bro/feeds/rbn.intel",
>> "/opt/bro/feeds/snort.intel",
>> "/opt/bro/feeds/tor.intel",
>> };
>>
>>
>> The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts.
>>
>> [root at bro-anal01 feeds]# head alienvault.intel
>> #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in
>> 119.60.12.102 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 37.205.198.162 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 182.131.22.235 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 58.250.71.43 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 211.160.19.250 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 176.215.86.120 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 203.121.165.16 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 211.151.57.196 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>> 108.59.1.5 Intel::ADDR alienvault http://reputation.alienvault.com/reputation.generic T -
>>
>> I’ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various i
>>
>> [root at bro-anal01 logs]# ls -la current/intel.log
>> ls: cannot access current/intel.log: No such file or directory
>> [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u
>> PacketFilter::Dropped_Packets
>> SSH::Password_Guessing
>> SSL::Invalid_Server_Cert
>> Scan::Address_Scan
>>
>> [root at bro-anal01 bin]# ./bro -v
>> ./bro version 2.2
>>
>> What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github?
>>
>> Kim Halavakoski - CISM
>> kim at blackcatsec.net
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Jon Schipp,
> jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/d8aa29df/attachment.html
More information about the Bro
mailing list