[Bro] Mal-dnssearch issue

Jon Schipp jonschipp at gmail.com
Fri Oct 10 10:22:41 PDT 2014


Hello James,

Sorry, I've been really busy. Thanks for reporting, I'll look into it.
For any specific issue with the script you can create an issue on
Github and I'll take care of it :)

On Fri, Oct 10, 2014 at 9:44 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2014-10-09 15:48, James Lay wrote:
>> Hey again all,
>>
>> Got almost all the intel feeds that I'm looking to get save
>> one...malips.  From:
>>
>> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>>
>> I'm running:
>>
>> mal-dnssearch -M malips -p | mal-dns2bro -T ip -s malips >
>> malips.intel
>>
>> However the results looks muffed:
>>
>> head malips.intel
>> #fields indicator       indicator_type  meta.source     meta.url
>>  meta.do_notice  meta.if_in
>> 100.42.5Intel::ADDR     malips  -       F       -
>> 103.14.1Intel::ADDR     malips  -       F       -
>> 103.19.8Intel::ADDR     malips  -       F       -
>>
>> The others all look fine.  Again, am I missing a flag or something?
>> Thank you.
>>
>> James
>
> Some additional info shows that there's a carriage return after the
> IP...doing a :set list in vim shows:
>
> 100.42.50.110^M^IIntel::ADDR^Imalips^I-^IF^I-$
>
> None of the other .intel files show the ^M.  Thanks all.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Jon Schipp,
jonschipp.com, sickbits.net



More information about the Bro mailing list