[Bro] Bro Intel framework - filter out

Mike Patterson mike.patterson at uwaterloo.ca
Sun Jan 18 15:31:48 PST 2015 

Here’s how I do it:

event bro_init() &priority=-12
        {
        restrict_filters["ignore"] = "not (net 10.0.0.1/24 or host 10.1.2.3)";
        PacketFilter::install();
        }

There’s probably other, possibly even better, ways to do it, but this works for me.

Mike

> On Jan 18, 2015, at 5:50 PM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk> wrote:
> 
> Thanks for the suggestion. I'm not using the notice though just the intel.log :
> 
> @load frameworks/intel/seen
> 
> redef Intel::read_files += {
>     "/usr/local/bro/share/bro/site/intel-2.dat"
> };
> 
> Is there no way to simply apply a BPF filter to Bro? 
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA
> Blog.InfoSecMatters.net
> 
> 
> 
> 
>> On 18 Jan 2015, at 20:11, Derek Banks <itsecderek at gmail.com> wrote:
>> 
>> You could stop CIF from doing the lookups if you wanted to (or not, depends on if you wan that data).  Something like this (depending on how you are doing notices) should work:
>> 
>> const intel_server_whitelist = {10.10.10.10};
>> 
>> hook Notice::policy(n: Notice::Info)
>> {
>> if ( n$note == Intel::Notice && n?$src && !(n$src in intel_server_whitelist ) )
>>             {
>>             add n$actions[Notice::ACTION_EMAIL];
>>             }
>> }
>> 
>> Regards,
>> Derek
>> 
>> On Sun, Jan 18, 2015 at 7:02 AM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk> wrote:
>> Hi,
>> I am using a threat intelligence feed from a local installation of the Collective Intelligence Framework v2 and putting data into the Bro Intel framework.
>> andy at cif2:~$ cif --cc US --tags botnet -l 10 -c 85 -f bro > intel-2.dat
>> #fields indicator
>> indicator_type meta.desc
>> meta.cif_confidence meta.source
>> 50.17.195.149 Intel::ADDR
>> botnet|gozi 85
>> bambenekconsulting.com
>> 50.17.195.149 Intel::ADDR
>> botnet|gozi 85
>> bambenekconsulting.com
>> 50.17.195.149 Intel::ADDR
>> botnet|gozi 85
>> bambenekconsulting.com
>> 50.17.195.149 Intel::ADDR
>> botnet|gozi 85
>> bambenekconsulting.com
>> 
>> echo -e "testmyids.com\tIntel::DOMAIN\tsuspicious\t85\tTester" >> intel-2.dat
>> Add the above for testing purposes so I can trigger an Intel alert to test everything is working. 
>> 
>> This all works great and I can check my Kibana Bro intel dashboard for alerts.
>> 
>> The problem is that, CIF2 queries DNS servers for IP addresses for domains in the intel data - so I get a false positive showing my CIF2 server as the source. 
>> 
>> I think the answer is to filter out my CIF2 server from Bro, but I’ve not managed to find an example I can follow anywhere.   Any suggestions much appreciated.
>> 
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
>> Blog.InfoSecMatters.net
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list