[Bro] Threat Intelligence Management

Josh Liburdi liburdi.joshua at gmail.com
Mon Jun 29 13:35:36 PDT 2015 

Andy,

If you still have these log files (or can generate them again), can
you share the line from http.log that contains the URL indicator?

Thanks,
Josh

On Sun, Jun 28, 2015 at 6:02 PM, Andrew Ratcliffe
<andrew.ratcliffe at nswcsystems.co.uk> wrote:
> Hi Josh,
> Thanks for pointing that out. However, I still seem to have a problem:
> www.etiksecimler.com/appraiser/ipad/ Intel::URL from
> http://www.phishtank.com/phish_detail.php?phish_id=3266591 via
> intel.criticalstack.com F
> Use Curl to get the URL
> Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/
> Still no intel.log entry
> [root at bro current]# grep -l www.etiksecimler.com *.log
> dns.log
> http.log
>
> # Critical Stack, Inc - https://intel.criticalstack.com
> @load /opt/critical-stack/frameworks/intel
> # Uncomment the following line to enable detection of the heartbleed attack.
> Enabling
> # this might impact performance a bit.
> # @load policy/protocols/ssl/heartbleed
> @load conn-geoip2.bro
> @load intel-2.bro
> #@load bpf-filter.bro
>
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net
>
>
>
>
>
>
> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>
> Andy,
>
> By default the Intel framework only generates log entries for IP addresses
> if the connection is a fully established TCP connection. That's probably why
> pinging an IP did not generate an entry.
>
> Josh
>
> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe
> <andrew.ratcliffe at nswcsystems.co.uk>, wrote:
>>
>> Hi,
>> I tried using criticalstack, as it sounds like a really cool idea. I just
>> can’t seem to get any events from it.
>>
>> Should events go to the notice.log or the intel.log?
>>
>> I tried a ping from an address present in the feed then looked for output
>> and I have conn.log ICMP entry and a syslog entry but nothing else.
>> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
>>
>> [root at bro current]# grep -l '89.106.121.76' *.log
>> conn.log
>> syslog.log
>>
>> 1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp
>> - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499
>> 43.990002
>>
>> I have some Intel loaded from CIF2 and that works OK, I use the test
>> event:
>> Andys-MacBook-Air:~ andy$ curl http://testmyids.com
>> uid=0(root) gid=0(root) groups=0(root)
>> intel.log
>> 1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53
>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53
>> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - -
>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - -
>> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
>> 1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154
>> 80 - - - testmyids.com Intel::DOMAIN HTTP::IN_HOST_HEADER Tester
>>
>> Am I doing something wrong?
>>
>> Kind regards,
>> Andy
>> Andrew.Ratcliffe at NSWCSystems.co.uk
>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>> Blog.InfoSecMatters.net
>>
>>
>>
>>
>>
>>
>> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:
>>
>> No Critical Stack is entirely custom; we are not building a TIP.  We
>> wanted to have an easy way to have actionable into stream into bro as it is
>> to discovered so we built it.  We thought others would want it as well so we
>> make it freely available to the community.  We are getting ready to launch a
>> new extension to it called KITTY- Keep Intel Transactions To Yourself that
>> allow you to privately share and deploy 100's of Millions of indicators in a
>> fast memory efficient way.  It integrates directly with our online
>> marketplace- we deployed our first test clients this week.  We'll announce
>> more shortly @CriticalStack .
>>
>> For TIPs there are a lot of great solutions you should look at:
>>
>> Free:
>> MISP
>> CRITS
>>
>> Commercial:
>> Soltra Edge (has a free version)
>> ThreatConnect
>> ThreatStream
>> ThreatQ (ThreatQuotient)
>> BrightPoint Security (formerly Vorstack)
>>
>>
>> V/r,
>>
>> Liam Randall
>>
>>
>> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net>
>> wrote:
>>>
>>> Is critical stack based upon CIF (collective intelligence framework)?
>>>
>>> It looks very similar.
>>>
>>> Cheers,
>>> Harry
>>>
>>>
>>> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:
>>> >
>>> > Hi
>>> >
>>> > I encourage you to have a look at, https://intel.criticalstack.com/
>>> >
>>> > Best,
>>> > Lysemose
>>> >
>>> > On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch>
>>> > wrote:
>>> >>
>>> >> Hi all,
>>> >>
>>> >> I am having a look at Threat Intelligence Management solutions, which
>>> >> can be used with Bro. What do you use and what are your experiences?
>>> >>
>>> >> Regards,
>>> >> Jan
>>> >>
>>> >> _______________________________________________
>>> >> Bro mailing list
>>> >> bro at bro-ids.org
>>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> >
>>> >
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>

More information about the Bro mailing list