[Bro] Bro Intel Framework troubleshooting?

Kim Halavakoski kim at blackcatsec.net
Tue May 20 07:33:14 PDT 2014


Hi,
Thanks that works now! 

I "forgot" the broctl install command and have just restarted bro hoping it would pick up the config changes...

Is there any way of getting anither variable from the intel file and using it as some kind of tpe/classifier? In the Alienvault example the IP-address comes with a type like "Scanning host", "Malware domain" etc. 

How can I use thst field in the Intel file so that I know what kind of threat it is? 


Best regards,

Kim Halavakoski
kim at blackcatsec.net

Sent from my mobile device, excuse my clawfingerness!


> On 20 maj 2014, at 01:41, Jon Schipp <jonschipp at gmail.com> wrote:
> 
> Did you put the configuration into effect? e.g. ``broctl check && broctl install && broctl restart''
> 
> Also, what's the output of ``tail -1 alienvault.intel | hexdump -c''?
> 
> 
>> On Mon, May 19, 2014 at 3:57 PM, Kim Halavakoski <kim at blackcatsec.net> wrote:
>> Hello.
>> I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
>> I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro:
>> 
>> # Load the Intel Framework to be used with mal-dnssearch for
>> # Threat Intelligence data analysis and correlation
>> # http://www.bro.org/sphinx-git/frameworks/intel.html
>> # http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>> # 
>> 
>> @load frameworks/intel/seen
>> @load frameworks/intel/do_notice
>> 
>> redef Intel::read_files += {
>>         "/opt/bro/feeds/alienvault.intel",
>>         "/opt/bro/feeds/botcc.intel",
>> 	"/opt/bro/feeds/ciarmy.intel",
>> 	"/opt/bro/feeds/et_ips.intel",
>> 	"/opt/bro/feeds/malhosts.intel",
>> 	"/opt/bro/feeds/malips.intel",
>> 	"/opt/bro/feeds/mandiant.intel",
>> 	"/opt/bro/feeds/mayhemic.intel",
>> 	"/opt/bro/feeds/rbn.intel",
>> 	"/opt/bro/feeds/snort.intel",
>> 	"/opt/bro/feeds/tor.intel",
>> };
>> 
>> 
>> The various intel files follow the format and fields are separated by tabs and the files have been downloaded with mal-dnssearch and inte files created with mal-dns2bro scripts.
>> 
>> [root at bro-anal01 feeds]# head alienvault.intel 
>> #fields	indicator	indicator_type	meta.source	meta.url	meta.do_notice	meta.if_in
>> 119.60.12.102	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 37.205.198.162	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 182.131.22.235	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 58.250.71.43	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 211.160.19.250	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 176.215.86.120	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 203.121.165.16	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 211.151.57.196	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 108.59.1.5	Intel::ADDR	alienvault	http://reputation.alienvault.com/reputation.generic	T	-
>> 
>> I’ve restarted Bro and I am not seeing any Intel-events and the intel.log has not been created and no intel logs are logged in notice.log? I have created traffic towards some of the IP-addresses listed in the various i
>> 
>> [root at bro-anal01 logs]# ls -la current/intel.log
>> ls: cannot access current/intel.log: No such file or directory
>> [root at bro-anal01 logs]# cat current/notice.log |bro-cut -d note | sort -u
>> PacketFilter::Dropped_Packets
>> SSH::Password_Guessing
>> SSL::Invalid_Server_Cert
>> Scan::Address_Scan
>> 
>> [root at bro-anal01 bin]# ./bro -v
>> ./bro version 2.2
>> 
>> What am I doing wrong? Am I running the wrong version(Bro 2.2 from RPM downloaded from bro.org) and Intel framework is only supported on the bleeding-edge Bro from github?
>> 
>> Kim Halavakoski - CISM
>> kim at blackcatsec.net
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> -- 
> Jon Schipp, 
> jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140520/d8aa29df/attachment.html 


More information about the Bro mailing list