[Bro] Threat Intelligence Management

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Mon Jun 29 15:08:04 PDT 2015


Liam,
Thanks for that. I think it is not loading. I’ll have another look at it.
Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>






> On 29 Jun 2015, at 22:21, Liam Randall <liam.randall at gmail.com> wrote:
> 
> Hey Andrew,
> 
> After installing did you do a
> 
> sudo broctl check
> sudo broctl install
> sudo broctl restart
> 
> You only need to perform that once and the future updates will be included automatically.
> 
> If you have included  'load misc/loaded-scripts' in your local.bro you will generate a loaded_scripts.log that you can use to verify that the scripts are running:
> 
> less loaded_scripts.log | grep critical-stack
>   /opt/critical-stack/frameworks/intel/__load__.bro
>     /opt/critical-stack/frameworks/intel/feeds.bro
> 
> If you'd like please feel free to open a support ticket and we can help you figure this out offline:
> https://criticalstack.zendesk.com/hc/en-us/requests/new <https://criticalstack.zendesk.com/hc/en-us/requests/new>
> 
> V/r,
> 
> Liam Randall
> 
> 
> 
> 
> 
> 
> 
> On Mon, Jun 29, 2015 at 5:12 PM, Andrew Ratcliffe <andrew.ratcliffe at nswcsystems.co.uk <mailto:andrew.ratcliffe at nswcsystems.co.uk>> wrote:
> Josh,
> I tried a different one just so that it was current in the logs.
> 
> cwihosting.com/emsp/data/getproductrequest.htm <http://cwihosting.com/emsp/data/getproductrequest.htm>	Intel::URL	from http://www.phishtank.com/phish_detail.php?phish_id=2479331 <http://www.phishtank.com/phish_detail.php?phish_id=2479331> via intel.criticalstack.com <http://intel.criticalstack.com/>	F
> [root at bro intel]# cd /usr/local/bro/logs/current/
> [root at bro current]# grep -l cwihosting.com <http://cwihosting.com/> *.log
> dns.log
> http.log
> [root at bro current]# grep cwihosting.com <http://cwihosting.com/> http.log
> 1435611906.514899	C31ZazNObk3xTTk86	172.31.254.179	51734	72.52.170.179	80	1	GET	cwihosting.com <http://cwihosting.com/>	/emsp/data/getproductrequest.htm	-	curl/7.37.1	0	18464	200	OK	-	-	-	(empty)	-	-	-	-	-	FdGgt336pWjZZn8MBa	-
> [root at bro current]#
> 
> 
> Thanks
> 
> Kind regards,
> Andy
> Andrew.Ratcliffe at NSWCSystems.co.uk <mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
> 
> 
> 
> 
> 
> 
>> On 29 Jun 2015, at 21:35, Josh Liburdi <liburdi.joshua at gmail.com <mailto:liburdi.joshua at gmail.com>> wrote:
>> 
>> Andy,
>> 
>> If you still have these log files (or can generate them again), can
>> you share the line from http.log that contains the URL indicator?
>> 
>> Thanks,
>> Josh
>> 
>> On Sun, Jun 28, 2015 at 6:02 PM, Andrew Ratcliffe
>> <andrew.ratcliffe at nswcsystems.co.uk <mailto:andrew.ratcliffe at nswcsystems.co.uk>> wrote:
>>> Hi Josh,
>>> Thanks for pointing that out. However, I still seem to have a problem:
>>> www.etiksecimler.com/appraiser/ipad/ <http://www.etiksecimler.com/appraiser/ipad/> Intel::URL from
>>> http://www.phishtank.com/phish_detail.php?phish_id=3266591 <http://www.phishtank.com/phish_detail.php?phish_id=3266591> via
>>> intel.criticalstack.com <http://intel.criticalstack.com/> F
>>> Use Curl to get the URL
>>> Andys-MacBook-Air:~ andy$ curl www.etiksecimler.com/appraiser/ipad/ <http://www.etiksecimler.com/appraiser/ipad/>
>>> Still no intel.log entry
>>> [root at bro current]# grep -l www.etiksecimler.com <http://www.etiksecimler.com/> *.log
>>> dns.log
>>> http.log
>>> 
>>> # Critical Stack, Inc - https://intel.criticalstack.com <https://intel.criticalstack.com/>
>>> @load /opt/critical-stack/frameworks/intel
>>> # Uncomment the following line to enable detection of the heartbleed attack.
>>> Enabling
>>> # this might impact performance a bit.
>>> # @load policy/protocols/ssl/heartbleed
>>> @load conn-geoip2.bro
>>> @load intel-2.bro
>>> #@load bpf-filter.bro
>>> 
>>> Kind regards,
>>> Andy
>>> Andrew.Ratcliffe at NSWCSystems.co.uk <mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
>>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>>> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 27 Jun 2015, at 23:55, Josh Liburdi <liburdi.joshua at gmail.com <mailto:liburdi.joshua at gmail.com>> wrote:
>>> 
>>> Andy,
>>> 
>>> By default the Intel framework only generates log entries for IP addresses
>>> if the connection is a fully established TCP connection. That's probably why
>>> pinging an IP did not generate an entry.
>>> 
>>> Josh
>>> 
>>> On Saturday, Jun 27, 2015 at 5:39 PM, Andrew Ratcliffe
>>> <andrew.ratcliffe at nswcsystems.co.uk <mailto:andrew.ratcliffe at nswcsystems.co.uk>>, wrote:
>>>> 
>>>> Hi,
>>>> I tried using criticalstack, as it sounds like a really cool idea. I just
>>>> can’t seem to get any events from it.
>>>> 
>>>> Should events go to the notice.log or the intel.log?
>>>> 
>>>> I tried a ping from an address present in the feed then looked for output
>>>> and I have conn.log ICMP entry and a syslog entry but nothing else.
>>>> Andys-MacBook-Air:~ andy$ ping 89.106.121.76
>>>> 
>>>> [root at bro current]# grep -l '89.106.121.76' *.log
>>>> conn.log
>>>> syslog.log
>>>> 
>>>> 1435439487.024865 C6HBUkZ7i07zlYE5a 172.31.254.179 8 89.106.121.76 0 icmp
>>>> - 9.123324 560 560 OTH T 0 - 1840 10 840 (empty) - BG - - 22.872499
>>>> 43.990002
>>>> 
>>>> I have some Intel loaded from CIF2 and that works OK, I use the test
>>>> event:
>>>> Andys-MacBook-Air:~ andy$ curl http://testmyids.com <http://testmyids.com/>
>>>> uid=0(root) gid=0(root) groups=0(root)
>>>> intel.log
>>>> 1435439895.054961 CaEWz015AEjRJRruN2 172.31.254.179 55025 172.31.254.80 53
>>>> - - - testmyids.com <http://testmyids.com/> Intel::DOMAIN DNS::IN_REQUEST Tester
>>>> 1435439895.054965 COdqds1DkdarGlSnY1 172.31.254.179 53210 172.31.254.80 53
>>>> - - - testmyids.com <http://testmyids.com/> Intel::DOMAIN DNS::IN_REQUEST Tester
>>>> 1435439895.055305 CLcqwd2xLkH0MUUtf3 172.31.254.80 50910 8.8.4.4 53 - - -
>>>> testmyids.com <http://testmyids.com/> Intel::DOMAIN DNS::IN_REQUEST Tester
>>>> 1435439895.055309 Cwdyhm1vbT1SnTiSG1 172.31.254.80 50639 8.8.4.4 53 - - -
>>>> testmyids.com <http://testmyids.com/> Intel::DOMAIN DNS::IN_REQUEST Tester
>>>> 1435439895.253858 CtMoHr3h546C8UmdSi 172.31.254.179 50214 82.165.177.154
>>>> 80 - - - testmyids.com <http://testmyids.com/> Intel::DOMAIN HTTP::IN_HOST_HEADER Tester
>>>> 
>>>> Am I doing something wrong?
>>>> 
>>>> Kind regards,
>>>> Andy
>>>> Andrew.Ratcliffe at NSWCSystems.co.uk <mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
>>>> CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
>>>> Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 25 Jun 2015, at 13:51, Liam Randall <liam.randall at gmail.com <mailto:liam.randall at gmail.com>> wrote:
>>>> 
>>>> No Critical Stack is entirely custom; we are not building a TIP.  We
>>>> wanted to have an easy way to have actionable into stream into bro as it is
>>>> to discovered so we built it.  We thought others would want it as well so we
>>>> make it freely available to the community.  We are getting ready to launch a
>>>> new extension to it called KITTY- Keep Intel Transactions To Yourself that
>>>> allow you to privately share and deploy 100's of Millions of indicators in a
>>>> fast memory efficient way.  It integrates directly with our online
>>>> marketplace- we deployed our first test clients this week.  We'll announce
>>>> more shortly @CriticalStack .
>>>> 
>>>> For TIPs there are a lot of great solutions you should look at:
>>>> 
>>>> Free:
>>>> MISP
>>>> CRITS
>>>> 
>>>> Commercial:
>>>> Soltra Edge (has a free version)
>>>> ThreatConnect
>>>> ThreatStream
>>>> ThreatQ (ThreatQuotient)
>>>> BrightPoint Security (formerly Vorstack)
>>>> 
>>>> 
>>>> V/r,
>>>> 
>>>> Liam Randall
>>>> 
>>>> 
>>>> On Thu, Jun 25, 2015 at 8:37 AM, Harry Hoffman <hhoffman at ip-solutions.net <mailto:hhoffman at ip-solutions.net>>
>>>> wrote:
>>>>> 
>>>>> Is critical stack based upon CIF (collective intelligence framework)?
>>>>> 
>>>>> It looks very similar.
>>>>> 
>>>>> Cheers,
>>>>> Harry
>>>>> 
>>>>> 
>>>>> On Jun 25, 2015 7:44 AM, Heine Lysemose <lysemose at gmail.com <mailto:lysemose at gmail.com>> wrote:
>>>>>> 
>>>>>> Hi
>>>>>> 
>>>>>> I encourage you to have a look at, https://intel.criticalstack.com/ <https://intel.criticalstack.com/>
>>>>>> 
>>>>>> Best,
>>>>>> Lysemose
>>>>>> 
>>>>>> On Thu, Jun 25, 2015 at 1:31 PM, Jan Grashofer <jan.grashofer at cern.ch <mailto:jan.grashofer at cern.ch>>
>>>>>> wrote:
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> I am having a look at Threat Intelligence Management solutions, which
>>>>>>> can be used with Bro. What do you use and what are your experiences?
>>>>>>> 
>>>>>>> Regards,
>>>>>>> Jan
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Bro mailing list
>>>>>>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>>>>> 
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>>> 
>>>> 
>>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/ca72362a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150629/ca72362a/attachment-0001.bin 


More information about the Bro mailing list