[Bro] Bro Intel framework - filter out
Andrew Ratcliffe
andrew.ratcliffe at nswcsystems.co.uk
Sun Jan 18 04:02:13 PST 2015
Hi,
I am using a threat intelligence feed from a local installation of the Collective Intelligence Framework v2 and putting data into the Bro Intel framework.
andy at cif2:~$ cif --cc US --tags botnet -l 10 -c 85 -f bro > intel-2.dat
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com<http://bambenekconsulting.com>
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
echo -e "testmyids.com<http://testmyids.com/>\tIntel::DOMAIN\tsuspicious\t85\tTester" >> intel-2.dat
Add the above for testing purposes so I can trigger an Intel alert to test everything is working.
This all works great and I can check my Kibana Bro intel dashboard for alerts.
The problem is that, CIF2 queries DNS servers for IP addresses for domains in the intel data - so I get a false positive showing my CIF2 server as the source.
I think the answer is to filter out my CIF2 server from Bro, but I’ve not managed to find an example I can follow anywhere. Any suggestions much appreciated.
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
Blog.InfoSecMatters.net<http://blog.infosecmatters.net/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/a8334747/attachment.html
More information about the Bro
mailing list