[Bro] Mal-dnssearch issue
Jon Schipp
jonschipp at gmail.com
Fri Oct 10 11:13:20 PDT 2014
Oh you did, awesome. I didn't quite make it to that e-mail :)
It's fixed: https://github.com/jonschipp/mal-dnssearch/commit/2b9e5bb6797e1dcfcbf5e6f5368704d18765e2b1
On Fri, Oct 10, 2014 at 12:49 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2014-10-10 11:22, Jon Schipp wrote:
>>
>> Hello James,
>>
>> Sorry, I've been really busy. Thanks for reporting, I'll look into it.
>> For any specific issue with the script you can create an issue on
>> Github and I'll take care of it :)
>>
>> On Fri, Oct 10, 2014 at 9:44 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>>
>>> On 2014-10-09 15:48, James Lay wrote:
>>>>
>>>> Hey again all,
>>>>
>>>> Got almost all the intel feeds that I'm looking to get save
>>>> one...malips. From:
>>>>
>>>> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>>>>
>>>> I'm running:
>>>>
>>>> mal-dnssearch -M malips -p | mal-dns2bro -T ip -s malips >
>>>> malips.intel
>>>>
>>>> However the results looks muffed:
>>>>
>>>> head malips.intel
>>>> #fields indicator indicator_type meta.source meta.url
>>>> meta.do_notice meta.if_in
>>>> 100.42.5Intel::ADDR malips - F -
>>>> 103.14.1Intel::ADDR malips - F -
>>>> 103.19.8Intel::ADDR malips - F -
>>>>
>>>> The others all look fine. Again, am I missing a flag or something?
>>>> Thank you.
>>>>
>>>> James
>>>
>>>
>>> Some additional info shows that there's a carriage return after the
>>> IP...doing a :set list in vim shows:
>>>
>>> 100.42.50.110^M^IIntel::ADDR^Imalips^I-^IF^I-$
>>>
>>> None of the other .intel files show the ^M. Thanks all.
>>>
>>> James
>
>
> Did so thanks Jon...I'll get work with this off list.
>
> James
>
--
Jon Schipp,
jonschipp.com, sickbits.net
More information about the Bro
mailing list