[Bro] Threat Intelligence Management

Sun Jun 28 15:02:18 PDT 2015

Hi Josh,
Thanks for pointing that out. However, I still seem to have a problem:
www.etiksecimler.com/appraiser/ipad/	Intel::URL	from http://www.phishtank.com/phish_detail.php?phish_id=3266591 via intel.criticalstack.com	F
Use Curl to get the URL
Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/
Still no intel.log entry
[root at bro current]# grep -l www.etiksecimler.com *.log
dns.log
http.log

# Critical Stack, Inc - https://intel.criticalstack.com
@load /opt/critical-stack/frameworks/intel
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed
@load conn-geoip2.bro
@load intel-2.bro
#@load bpf-filter.bro

Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>

> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> 
> Andy,
> 
> By default the Intel framework only generates log entries for IP addresses if the connection is a fully established TCP connection. That's probably why pinging an IP did not generate an entry.
> 
> Josh
> 
> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk <mailto:andrew.ratcliffe at nswcsystems.co.uk>>, wrote:
> Hi,
> I tried using criticalstack, as it sounds like a really cool idea. I just can’t seem to get any events from it.
> 
> Should events go to the notice.log or the intel.log?
> 
> I tried a ping from an address present in the feed then looked for output and I have conn.log ICMP entry and a syslog entry but nothing else.
> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
> 
> [root at bro current]# grep -l '89.106.121.76' *.log
> conn.log
> syslog.log
> 
> 1435439487.024865 C6HBUkZ7i07zlYE5a
> 172.31.254.179  8 89.106.121.76
> 0 icmp
> - 9.123324
> 560 560
> OTH T
> 0 -
> 1840 10
> 840 (empty)
> - BG
> - -
> 22.872499 43.990002
> 
> I have some Intel loaded from CIF2 and that works OK, I use the test event:
> Andys-MacBook-Air:~ andy$ curl http://testmyids.com <http://testmyids.com/>
> uid=0(root) gid=0(root) groups=0(root)
> intel.log
> 1435439895.054961 CaEWz015AEjRJRruN2
> 172.31.254.179  55025 172.31.254.80
> 53 -
> - -
> testmyids.com <http://testmyids.com/>
> Intel::DOMAIN  DNS::IN_REQUEST Tester
> 1435439895.054965 COdqds1DkdarGlSnY1
> 172.31.254.179  53210 172.31.254.80
> 53 -
> - -
> testmyids.com <http://testmyids.com/>
> Intel::DOMAIN  DNS::IN_REQUEST Tester
> 1435439895.055305 CLcqwd2xLkH0MUUtf3
> 172.31.254.80  50910 8.8.4.4
> 53 -
> - -
> testmyids.com <http://testmyids.com/>
> Intel::DOMAIN  DNS::IN_REQUEST Tester
> 1435439895.055309 Cwdyhm1vbT1SnTiSG1
> 172.31.254.80  50639 8.8.4.4
> 53 -
> - -
> testmyids.com <http://testmyids.com/>
> Intel::DOMAIN  DNS::IN_REQUEST Tester
> 1435439895.253858 CtMoHr3h546C8UmdSi
> 172.31.254.179  50214 82.165.177.154
> 80 -
> - -
> testmyids.com <http://testmyids.com/>
> Intel::DOMAIN  HTTP::IN_HOST_HEADER  Tester
> 
> Am I doing something wrong?
> 
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk <mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
> 
> 
> 
> 
> 
> 
>> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com <mailto:liam.randall at gmail.com>> wrote:
>> 
>> No Critical Stack is entirely custom; we are not building a TIP.  We wanted to have an easy way to have actionable into stream into bro as it is to discovered so we built it.  We thought others would want it as well so we make it freely available to the community.  We are getting ready to launch a new extension to it called KITTY- Keep Intel Transactions To Yourself that allow you to privately share and deploy 100's of Millions of indicators in a fast memory efficient way.  It integrates directly with our online marketplace- we deployed our first test clients this week.  We'll announce more shortly @CriticalStack .
>> 
>> For TIPs there are a lot of great solutions you should look at:
>> 
>> Free:
>> MISP
>> CRITS
>> 
>> Commercial:
>> Soltra Edge (has a free version)
>> ThreatConnect
>> ThreatStream
>> ThreatQ (ThreatQuotient)
>> BrightPoint Security (formerly Vorstack)
>> 
>> 
>> V/r,
>> 
>> Liam Randall
>> 
>> 
>> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net <mailto:hhoffman at ip-solutions.net>> wrote:
>> Is critical stack based upon CIF (collective intelligence framework)?
>> 
>> It looks very similar.
>> 
>> Cheers,
>> Harry
>> 
>> 
>> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com <mailto:lysemose at gmail.com>> wrote:
>> >
>> > Hi
>> >
>> > I encourage you to have a look at, https://intel.criticalstack.com/ <https://intel.criticalstack.com/>
>> >
>> > Best,
>> > Lysemose
>> >
>> > On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch <mailto:jan.grashofer at cern.ch>> wrote:
>> >>
>> >> Hi all,
>> >>
>> >> I am having a look at Threat Intelligence Management solutions, which can be used with Bro. What do you use and what are your experiences?
>> >>
>> >> Regards,
>> >> Jan
>> >>
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>> >
>> >
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150628/a861d470/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150628/a861d470/attachment-0001.bin 