[Bro] Intel Framework Issues

Josh Liburdi liburdi.joshua at gmail.com
Mon Nov 23 10:47:57 PST 2015


I think the most common gotcha for IP addresses is that they will only appear in intel.log when they are a part of a successful TCP connection. Unsuccessful TCP connections and non-TCP connections will not appear in the log.

Josh

> On Nov 23, 2015, at 12:53 PM, Jan Grashofer <jan.grashofer at cern.ch> wrote:
> 
> Hi,
>  
> for URLs there is an important detail I missed the first time, when I used the intel framework. The documentation says: Intel::URL <> - A complete URL _without_ the prefix "http://". <>
>  
> However, IPs worked for me without any problem. Did you see any errors in the logs regarding the intel-files you use? Depending on how you generate your feeds the intel linter (https://github.com/packetsled/bro_intel_linter <https://github.com/packetsled/bro_intel_linter>) might be helpful for you.
>  
> Best regards,
> Jan
>  
> From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Disha Bora [dbora at isightpartners.com]
> Sent: Monday, November 23, 2015 18:12
> To: bro at bro.org
> Subject: [Bro] Intel Framework Issues
> 
> Hi,
> 
> I have been using Bro's intel framework to input my intelligence feed and get matches in intel.log. I seem to only be getting hits on domains but not IPs or URLs. I have also tried it on the mal-dnssearch feeds with the same results. Is there any particular reason why this would happen? How can I fix it?
> 
> Thanks!
> 
> Disha Bora
> Associate Product Manager
> iSIGHT Partners
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151123/38c2d1ef/attachment.html 


More information about the Bro mailing list