[Bro] Bro Intel framework - filter out

Derek Banks itsecderek at gmail.com
Sun Jan 18 12:11:49 PST 2015 

You could stop CIF from doing the lookups if you wanted to (or not, depends
on if you wan that data).  Something like this (depending on how you are
doing notices) should work:

const intel_server_whitelist = {10.10.10.10};

hook Notice::policy(n: Notice::Info)
{
if ( n$note == Intel::Notice && n?$src && !(n$src in intel_server_whitelist
) )
            {
            add n$actions[Notice::ACTION_EMAIL];
            }
}

Regards,
Derek

On Sun, Jan 18, 2015 at 7:02 AM, Andrew Ratcliffe <
andrew.ratcliffe at nswcsystems.co.uk> wrote:

>  Hi,
> I am using a threat intelligence feed from a local installation of the
> Collective Intelligence Framework v2 and putting data into the Bro Intel
> framework.
> andy at cif2:~$ cif --cc US --tags botnet -l 10 -c 85 -f bro > intel-2.dat
> #fields indicator indicator_type meta.desc meta.cif_confidence meta.source
> 50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
> 50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
> 50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
> 50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
>
> echo -e "testmyids.com\tIntel::DOMAIN\tsuspicious\t85\tTester" >>
> intel-2.dat
> Add the above for testing purposes so I can trigger an Intel alert to test
> everything is working.
>
>  This all works great and I can check my Kibana Bro intel dashboard for
> alerts.
>
>  The problem is that, CIF2 queries DNS servers for IP addresses for
> domains in the intel data - so I get a false positive showing my CIF2
> server as the source.
>
>  I think the answer is to filter out my CIF2 server from Bro, but I’ve
> not managed to find an example I can follow anywhere.   Any suggestions
> much appreciated.
>
>         Kind regards,
> Andy
>  Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/c530b971/attachment.html

More information about the Bro mailing list