[Bro] Bro Intel framework - filter out

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Sun Jan 18 14:50:12 PST 2015


Thanks for the suggestion. I'm not using the notice though just the intel.log :

@load frameworks/intel/seen

redef Intel::read_files += {
    "/usr/local/bro/share/bro/site/intel-2.dat"
};

Is there no way to simply apply a BPF filter to Bro?
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA
Blog.InfoSecMatters.net<http://blog.infosecmatters.net/>




On 18 Jan 2015, at 20:11, Derek Banks <itsecderek at gmail.com<mailto:itsecderek at gmail.com>> wrote:

You could stop CIF from doing the lookups if you wanted to (or not, depends on if you wan that data).  Something like this (depending on how you are doing notices) should work:

const intel_server_whitelist = {10.10.10.10};

hook Notice::policy(n: Notice::Info)
{
if ( n$note == Intel::Notice && n?$src && !(n$src in intel_server_whitelist ) )
            {
            add n$actions[Notice::ACTION_EMAIL];
            }
}

Regards,
Derek

On Sun, Jan 18, 2015 at 7:02 AM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk<mailto:andrew.ratcliffe at nswcsystems.co.uk>> wrote:
Hi,
I am using a threat intelligence feed from a local installation of the Collective Intelligence Framework v2 and putting data into the Bro Intel framework.
andy at cif2:~$ cif --cc US --tags botnet -l 10 -c 85 -f bro > intel-2.dat
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com<http://bambenekconsulting.com/>
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com<http://bambenekconsulting.com/>
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com<http://bambenekconsulting.com/>
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com<http://bambenekconsulting.com/>

echo -e "testmyids.com<http://testmyids.com/>\tIntel::DOMAIN\tsuspicious\t85\tTester" >> intel-2.dat
Add the above for testing purposes so I can trigger an Intel alert to test everything is working.

This all works great and I can check my Kibana Bro intel dashboard for alerts.

The problem is that, CIF2 queries DNS servers for IP addresses for domains in the intel data - so I get a false positive showing my CIF2 server as the source.

I think the answer is to filter out my CIF2 server from Bro, but I’ve not managed to find an example I can follow anywhere.   Any suggestions much appreciated.

Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
Blog.InfoSecMatters.net<http://blog.infosecmatters.net/>





_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/12ace742/attachment-0001.html 


More information about the Bro mailing list