[Bro] Mal-dnssearch issue

Jon Schipp jonschipp at gmail.com
Fri Oct 10 11:13:20 PDT 2014


Oh you did, awesome. I didn't quite make it to that e-mail :)
It's fixed: https://github.com/jonschipp/mal-dnssearch/commit/2b9e5bb6797e1dcfcbf5e6f5368704d18765e2b1

On Fri, Oct 10, 2014 at 12:49 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2014-10-10 11:22, Jon Schipp wrote:
>>
>> Hello James,
>>
>> Sorry, I've been really busy. Thanks for reporting, I'll look into it.
>> For any specific issue with the script you can create an issue on
>> Github and I'll take care of it :)
>>
>> On Fri, Oct 10, 2014 at 9:44 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>>
>>> On 2014-10-09 15:48, James Lay wrote:
>>>>
>>>> Hey again all,
>>>>
>>>> Got almost all the intel feeds that I'm looking to get save
>>>> one...malips.  From:
>>>>
>>>> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
>>>>
>>>> I'm running:
>>>>
>>>> mal-dnssearch -M malips -p | mal-dns2bro -T ip -s malips >
>>>> malips.intel
>>>>
>>>> However the results looks muffed:
>>>>
>>>> head malips.intel
>>>> #fields indicator       indicator_type  meta.source     meta.url
>>>>  meta.do_notice  meta.if_in
>>>> 100.42.5Intel::ADDR     malips  -       F       -
>>>> 103.14.1Intel::ADDR     malips  -       F       -
>>>> 103.19.8Intel::ADDR     malips  -       F       -
>>>>
>>>> The others all look fine.  Again, am I missing a flag or something?
>>>> Thank you.
>>>>
>>>> James
>>>
>>>
>>> Some additional info shows that there's a carriage return after the
>>> IP...doing a :set list in vim shows:
>>>
>>> 100.42.50.110^M^IIntel::ADDR^Imalips^I-^IF^I-$
>>>
>>> None of the other .intel files show the ^M.  Thanks all.
>>>
>>> James
>
>
> Did so thanks Jon...I'll get work with this off list.
>
> James
>



-- 
Jon Schipp,
jonschipp.com, sickbits.net



More information about the Bro mailing list