[Bro] Mal-dnssearch issue
James Lay
jlay at slave-tothe-box.net
Fri Oct 10 07:44:17 PDT 2014
On 2014-10-09 15:48, James Lay wrote:
> Hey again all,
>
> Got almost all the intel feeds that I'm looking to get save
> one...malips. From:
>
> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>
> I'm running:
>
> mal-dnssearch -M malips -p | mal-dns2bro -T ip -s malips >
> malips.intel
>
> However the results looks muffed:
>
> head malips.intel
> #fields indicator indicator_type meta.source meta.url
> meta.do_notice meta.if_in
> 100.42.5Intel::ADDR malips - F -
> 103.14.1Intel::ADDR malips - F -
> 103.19.8Intel::ADDR malips - F -
>
> The others all look fine. Again, am I missing a flag or something?
> Thank you.
>
> James
Some additional info shows that there's a carriage return after the
IP...doing a :set list in vim shows:
100.42.50.110^M^IIntel::ADDR^Imalips^I-^IF^I-$
None of the other .intel files show the ^M. Thanks all.
James
More information about the Bro
mailing list