[Bro] [bro] Bro intelligence framework meta data issue.
Giedrius Ramas
giedrius.ramas at gmail.com
Thu Jan 22 06:44:12 PST 2015
Hi all ,
I am facing an issue when trying to get BRO intel working . The matter is
that I cannot get meta data from Intel::MetaData.
The Bro intelligence itself is working fine. Here is my intel.dat file:
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
honargah.ir/images/sampledata/2013gdoc Intel::URL phishing 85 phishtank.com
and intel.log output:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2015-01-22-09-36-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type
file_desc seen.indicator seen.indicator_type seen.where sources
#types time string addr port addr port string string string string enum enum
set[string]
1421919403.137259 Cz3Nvm4BHmAtqNxKHa 10.3.2.2 63982 142.4.119.66 80 - --
buy-pokerist-chips.com/wealth/t/ Intel::URL HTTP::IN_URL phishtank.com
So as you can see there are any meta data fields on intel.log output.
Please shed some light on this , Where should I look for troubleshooting ?
I have these scripts loaded :
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load policy/integration/collective-intel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150122/a341ca4b/attachment.html
More information about the Bro
mailing list