[Bro] Threat Intelligence Management
Josh Liburdi
liburdi.joshua at gmail.com
Sat Jun 27 15:55:17 PDT 2015
Andy,
By default the Intel framework only generates log entries for IP addresses if the connection is a fully established TCP connection. That's probably why pinging an IP did not generate an entry.
Josh
On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk>, wrote:
Hi,
I tried using criticalstack, as it sounds like a really cool idea. I just can’t seem to get any events from it.
Should events go to the notice.log or the intel.log?
I tried a ping from an address present in the feed then looked for output and I have conn.log ICMP entry and a syslog entry but nothing else.
Andys-MacBook-Air:~ andy$ ping 89.106.121.76
[root at bro current]# grep -l '89.106.121.76' *.log
conn.log
syslog.log
1435439487.024865 C6HBUkZ7i07zlYE5a
172.31.254.179
8 89.106.121.76
0 icmp
- 9.123324
560 560
OTH T
0 -
1840 10
840 (empty)
- BG
- -
22.872499 43.990002
I have some Intel loaded from CIF2 and that works OK, I use the test event:
Andys-MacBook-Air:~ andy$ curl http://testmyids.com
uid=0(root) gid=0(root) groups=0(root)
intel.log
1435439895.054961 CaEWz015AEjRJRruN2
172.31.254.179
55025 172.31.254.80
53 -
- -
testmyids.com
Intel::DOMAIN
DNS::IN_REQUEST Tester
1435439895.054965 COdqds1DkdarGlSnY1
172.31.254.179
53210 172.31.254.80
53 -
- -
testmyids.com
Intel::DOMAIN
DNS::IN_REQUEST Tester
1435439895.055305 CLcqwd2xLkH0MUUtf3
172.31.254.80
50910 8.8.4.4
53 -
- -
testmyids.com
Intel::DOMAIN
DNS::IN_REQUEST Tester
1435439895.055309 Cwdyhm1vbT1SnTiSG1
172.31.254.80
50639 8.8.4.4
53 -
- -
testmyids.com
Intel::DOMAIN
DNS::IN_REQUEST Tester
1435439895.253858 CtMoHr3h546C8UmdSi
172.31.254.179
50214 82.165.177.154
80 -
- -
testmyids.com
Intel::DOMAIN
HTTP::IN_HOST_HEADER
Tester
Am I doing something wrong?
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net
On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:
No Critical Stack is entirely custom; we are not building a TIP. We wanted to have an easy way to have actionable into stream into bro as it is to discovered so we built it. We thought others would want it as well so we make it freely
available to the community. We are getting ready to launch a new extension to it called KITTY- Keep Intel Transactions To Yourself that allow you to privately share and deploy 100's of Millions of indicators in a fast memory efficient way. It integrates
directly with our online marketplace- we deployed our first test clients this week. We'll announce more shortly @CriticalStack .
For TIPs there are a lot of great solutions you should look at:
Free:
MISP
CRITS
Commercial:
Soltra Edge (has a free version)
ThreatConnect
ThreatStream
ThreatQ (ThreatQuotient)
BrightPoint Security (formerly Vorstack)
V/r,
Liam Randall
On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman
<hhoffman at ip-solutions.net> wrote:
Is critical stack based upon CIF (collective intelligence framework)?
It looks very similar.
Cheers,
Harry
On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:
>
> Hi
>
> I encourage you to have a look at, https://intel.criticalstack.com/
>
> Best,
> Lysemose
>
> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch> wrote:
>>
>> Hi all,
>>
>> I am having a look at Threat Intelligence Management solutions, which can be used with Bro. What do you use and what are your experiences?
>>
>> Regards,
>> Jan
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150627/be045942/attachment-0001.html
More information about the Bro
mailing list