[Bro] Threat Intelligence Management

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Sat Jun 27 14:37:09 PDT 2015


Hi,
I tried using criticalstack, as it sounds like a really cool idea. I just can’t seem to get any events from it.

Should events go to the notice.log or the intel.log?

I tried a ping from an address present in the feed then looked for output and I have conn.log ICMP entry and a syslog entry but nothing else.
Andys-MacBook-Air:~ andy$ ping 89.106.121.76

[root at bro current]# grep -l '89.106.121.76' *.log
conn.log
syslog.log

1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499 43.990002

I have some Intel loaded from CIF2 and that works OK, I use the test event:
Andys-MacBook-Air:~ andy$ curl http://testmyids.com
uid=0(root) gid=0(root) groups=0(root)
intel.log
1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53 - - - testmyids.com<http://testmyids.com> Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53 - - - testmyids.com<http://testmyids.com> Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - - testmyids.com<http://testmyids.com> Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - - testmyids.com<http://testmyids.com> Intel::DOMAIN DNS::IN_REQUEST Tester
1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154 80 - - - testmyids.com<http://testmyids.com> Intel::DOMAIN HTTP::IN_HOST_HEADER Tester

Am I doing something wrong?

Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net<http://blog.infosecmatters.net/>






On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com<mailto:liam.randall at gmail.com>> wrote:

No Critical Stack is entirely custom; we are not building a TIP.  We wanted to have an easy way to have actionable into stream into bro as it is to discovered so we built it.  We thought others would want it as well so we make it freely available to the community.  We are getting ready to launch a new extension to it called KITTY- Keep Intel Transactions To Yourself that allow you to privately share and deploy 100's of Millions of indicators in a fast memory efficient way.  It integrates directly with our online marketplace- we deployed our first test clients this week.  We'll announce more shortly @CriticalStack .

For TIPs there are a lot of great solutions you should look at:

Free:
MISP
CRITS

Commercial:
Soltra Edge (has a free version)
ThreatConnect
ThreatStream
ThreatQ (ThreatQuotient)
BrightPoint Security (formerly Vorstack)


V/r,

Liam Randall


On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net<mailto:hhoffman at ip-solutions.net>> wrote:
Is critical stack based upon CIF (collective intelligence framework)?

It looks very similar.

Cheers,
Harry


On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com<mailto:lysemose at gmail.com>> wrote:
>
> Hi
>
> I encourage you to have a look at, https://intel.criticalstack.com/
>
> Best,
> Lysemose
>
> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch<mailto:jan.grashofer at cern.ch>> wrote:
>>
>> Hi all,
>>
>> I am having a look at Threat Intelligence Management solutions, which can be used with Bro. What do you use and what are your experiences?
>>
>> Regards,
>> Jan
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
>

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150627/f40c0ba2/attachment-0001.html 


More information about the Bro mailing list