[Bro] Threat Intelligence Management

Liam Randall liam.randall at gmail.com
Mon Jun 29 14:21:55 PDT 2015 

Hey Andrew,

After installing did you do a

sudo broctl check
sudo broctl install
sudo broctl restart

You only need to perform that once and the future updates will be included
automatically.

If you have included  'load misc/loaded-scripts' in your local.bro you will
generate a loaded_scripts.log that you can use to verify that the scripts
are running:

less loaded_scripts.log | grep critical-stack
  /opt/critical-stack/frameworks/intel/__load__.bro
    /opt/critical-stack/frameworks/intel/feeds.bro

If you'd like please feel free to open a support ticket and we can help you
figure this out offline:
https://criticalstack.zendesk.com/hc/en-us/requests/new

V/r,

Liam Randall







On Mon, Jun 29, 2015 at 5:12 PM, Andrew Ratcliffe <
andrew.ratcliffe at nswcsystems.co.uk> wrote:

> Josh,
> I tried a different one just so that it was current in the logs.
>
> cwihosting.com/emsp/data/getproductrequest.htm Intel::URL from
> http://www.phishtank.com/phish_detail.php?phish_id=2479331 via
> intel.criticalstack.com F
> [root at bro intel]# cd /usr/local/bro/logs/current/
> [root at bro current]# grep -l cwihosting.com *.log
> dns.log
> http.log
> [root at bro current]# grep cwihosting.com http.log
> 1435611906.514899 C31ZazNObk3xTTk86 172.31.254.179 51734 72.52.170.179 80
> 1 GET cwihosting.com /emsp/data/getproductrequest.htm - curl/7.37.1 0
> 18464 200 OK - - - (empty) - - - - - FdGgt336pWjZZn8MBa -
> [root at bro current]#
>
>
> Thanks
>
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>
>
>
>
>
>
> On 29 Jun 2015, at 21:35, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>
> Andy,
>
> If you still have these log files (or can generate them again), can
> you share the line from http.log that contains the URL indicator?
>
> Thanks,
> Josh
>
> On Sun, Jun 28, 2015 at 6:02 PM, Andrew Ratcliffe
> <andrew.ratcliffe at nswcsystems.co.uk> wrote:
>
> Hi Josh,
> Thanks for pointing that out. However, I still seem to have a problem:
> www.etiksecimler.com/appraiser/ipad/ Intel::URL from
> http://www.phishtank.com/phish_detail.php?phish_id=3266591 via
> intel.criticalstack.com F
> Use Curl to get the URL
> Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/
> Still no intel.log entry
> [root at bro current]# grep -l www.etiksecimler.com *.log
> dns.log
> http.log
>
> # Critical Stack, Inc - https://intel.criticalstack.com
> @load /opt/critical-stack/frameworks/intel
> # Uncomment the following line to enable detection of the heartbleed
> attack.
> Enabling
> # this might impact performance a bit.
> # @load policy/protocols/ssl/heartbleed
> @load conn-geoip2.bro
> @load intel-2.bro
> #@load bpf-filter.bro
>
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net
>
>
>
>
>
>
> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
>
> Andy,
>
> By default the Intel framework only generates log entries for IP addresses
> if the connection is a fully established TCP connection. That's probably
> why
> pinging an IP did not generate an entry.
>
> Josh
>
> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe
> <andrew.ratcliffe at nswcsystems.co.uk>, wrote:
>
>
> Hi,
> I tried using criticalstack, as it sounds like a really cool idea. I just
> can’t seem to get any events from it.
>
> Should events go to the notice.log or the intel.log?
>
> I tried a ping from an address present in the feed then looked for output
> and I have conn.log ICMP entry and a syslog entry but nothing else.
> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
>
> [root at bro current]# grep -l '89.106.121.76' *.log
> conn.log
> syslog.log
>
> 1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp
> - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499
> 43.990002
>
> I have some Intel loaded from CIF2 and that works OK, I use the test
> event:
> Andys-MacBook-Air:~ andy$ curl http://testmyids.com
> uid=0(root) gid=0(root) groups=0(root)
> intel.log
> 1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53
> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
> 1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53
> - - - testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
> 1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - -
> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
> 1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - -
> testmyids.com Intel::DOMAIN DNS::IN_REQUEST Tester
> 1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154
> 80 - - - testmyids.com Intel::DOMAIN HTTP::IN_HOST_HEADER Tester
>
> Am I doing something wrong?
>
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net
>
>
>
>
>
>
> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com> wrote:
>
> No Critical Stack is entirely custom; we are not building a TIP.  We
> wanted to have an easy way to have actionable into stream into bro as it is
> to discovered so we built it.  We thought others would want it as well so
> we
> make it freely available to the community.  We are getting ready to launch
> a
> new extension to it called KITTY- Keep Intel Transactions To Yourself that
> allow you to privately share and deploy 100's of Millions of indicators in
> a
> fast memory efficient way.  It integrates directly with our online
> marketplace- we deployed our first test clients this week.  We'll announce
> more shortly @CriticalStack .
>
> For TIPs there are a lot of great solutions you should look at:
>
> Free:
> MISP
> CRITS
>
> Commercial:
> Soltra Edge (has a free version)
> ThreatConnect
> ThreatStream
> ThreatQ (ThreatQuotient)
> BrightPoint Security (formerly Vorstack)
>
>
> V/r,
>
> Liam Randall
>
>
> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net>
> wrote:
>
>
> Is critical stack based upon CIF (collective intelligence framework)?
>
> It looks very similar.
>
> Cheers,
> Harry
>
>
> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com> wrote:
>
>
> Hi
>
> I encourage you to have a look at, https://intel.criticalstack.com/
>
> Best,
> Lysemose
>
> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch>
> wrote:
>
>
> Hi all,
>
> I am having a look at Threat Intelligence Management solutions, which
> can be used with Bro. What do you use and what are your experiences?
>
> Regards,
> Jan
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/cc43e0ba/attachment.html

More information about the Bro mailing list