[Bro] Threat Intelligence Management

Sat Jun 27 15:55:17 PDT 2015

Andy,

By default the Intel framework only generates log entries for IP addresses if the connection is a fully established TCP connection. That's probably why pinging an IP did not generate an entry.

Josh

On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk>, wrote:

Hi,

I tried using criticalstack, as it sounds like a really cool idea. I just can’t seem to get any events from it.

Should events go to the notice.log or the intel.log?

I tried a ping from an address present in the feed then looked for output and I have conn.log ICMP entry and a syslog entry but nothing else.

Andys-MacBook-Air:~ andy$ ping 89.106.121.76

[root at bro current]# grep -l '89.106.121.76' *.log

conn.log

syslog.log

1435439487.024865 C6HBUkZ7i07zlYE5a
172.31.254.179 
8 89.106.121.76
0 icmp
- 9.123324
560 560
OTH T
0 -
1840 10
840 (empty)
- BG
- -
22.872499 43.990002

I have some Intel loaded from CIF2 and that works OK, I use the test event:

Andys-MacBook-Air:~ andy$ curl http://testmyids.com

uid=0(root) gid=0(root) groups=0(root)

intel.log

1435439895.054961 CaEWz015AEjRJRruN2
172.31.254.179 
55025 172.31.254.80
53 -
- -
testmyids.com
Intel::DOMAIN 
DNS::IN_REQUEST Tester

1435439895.054965 COdqds1DkdarGlSnY1
172.31.254.179 
53210 172.31.254.80
53 -
- -
testmyids.com
Intel::DOMAIN 
DNS::IN_REQUEST Tester

1435439895.055305 CLcqwd2xLkH0MUUtf3
172.31.254.80 
50910 8.8.4.4
53 -
- -
testmyids.com
Intel::DOMAIN 
DNS::IN_REQUEST Tester

1435439895.055309 Cwdyhm1vbT1SnTiSG1
172.31.254.80 
50639 8.8.4.4
53 -
- -
testmyids.com
Intel::DOMAIN 
DNS::IN_REQUEST Tester

1435439895.253858 CtMoHr3h546C8UmdSi
172.31.254.179 
50214 82.165.177.154
80 -
- -
testmyids.com
Intel::DOMAIN 
HTTP::IN_HOST_HEADER 
Tester

Am I doing something wrong?

Kind regards,

Andy

Andrew.Ratcliffe at NSWCSystems.co.uk

CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net

On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:

No Critical Stack is entirely custom; we are not building a TIP.  We wanted to have an easy way to have actionable into stream into bro as it is to discovered so we built it.  We thought others would want it as well so we make it freely
 available to the community.  We are getting ready to launch a new extension to it called KITTY- Keep Intel Transactions To Yourself that allow you to privately share and deploy 100's of Millions of indicators in a fast memory efficient way.  It integrates
 directly with our online marketplace- we deployed our first test clients this week.  We'll announce more shortly @CriticalStack .

For TIPs there are a lot of great solutions you should look at:

Free:

MISP

CRITS

Commercial:

Soltra Edge (has a free version)

ThreatConnect

ThreatStream

ThreatQ (ThreatQuotient)

BrightPoint Security (formerly Vorstack)

V/r,

Liam Randall

On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman 
<hhoffman at ip-solutions.net> wrote:

Is critical stack based upon CIF (collective intelligence framework)?

It looks very similar.

Cheers,

Harry

On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:

>

> Hi

>

> I encourage you to have a look at, https://intel.criticalstack.com/

>

> Best,

> Lysemose

>

> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch> wrote:

>>

>> Hi all,

>>

>> I am having a look at Threat Intelligence Management solutions, which can be used with Bro. What do you use and what are your experiences?

>>

>> Regards,

>> Jan

>>

>> _______________________________________________

>> Bro mailing list

>> bro at bro-ids.org

>> 
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

>

>

_______________________________________________

Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________

Bro mailing list
bro at bro-ids.org

http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150627/be045942/attachment-0001.html 