[Bro] Intel framework troubleshooting on Bro 2.5
Hovsep Levi
hovsep.sanjay.levi at gmail.com
Fri Oct 7 14:44:05 PDT 2016
Thanks, that linter is finding errors. I just started using CriticalStack
with Bro 2.5 so I can't comment on prior issues.
If the linter is working as expected then it appears the problem is with a
few URIs from PhishTank with odd URL encoding, maybe they are mistakenly
being interpreted as tabs during parsing or corrupting some internal state
within Bro.
bro at mgr:/opt/bro/feeds % bro_intel_linter/intel_linter.py -f
master-public.bro.dat
WARNING: Line 1263 - Invalid entry
"bjcurio.com/js/index.htm?\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82???\xc3\x83?\xc3\x82?\xc3\x83?\xc3\x82??%"
for column "indicator"
WARNING: Line 4501 - Invalid entry "
generalfil.es/download/gs4eb28030h17i0/windows%20live%20messenger%208.5%20%20%20patch%20anti-atualizaai\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdi\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdai\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdi\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbdo%20%20%20messenger%20plus!%20liv.html"
for column "indicator"
WARNING: Line 12438 - Invalid entry "
www.alhotocaia.com.br/Templates/11632/simplestyle_5/style/-6327-40825785664-3357953/index.html?A?A?A?%20I?A?A?A?A\xef\xbf\xbd\xef\xbf\xbd1A?A\xef\xbf\xbd\xef\xbf\xbdA?A??"
for column "indicator"
ERROR: Line 13902 - Indicator type "Intel::ADDR" possible issue with
indicator: "2400:8901::f03c:91ff:feb0:bdb0"
ERROR: Line 13902 - Details - Invalid IP address
On Fri, Oct 7, 2016 at 6:04 PM, Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:
> > Nothing stands out. Looking at base/frameworks/intel/input.bro is
> there a
> > way to hook Input::add_event and have those events written to a log file
> ?
>
> You could use the Intel::read_entry event. For validation of the files
> have a look at https://github.com/packetsled/bro_intel_linter.
>
> Can you reproduce the issue running a standalone deployment or against a
> pcap and is that issue new in Bro 2.5?
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161007/d8ed710c/attachment.html
More information about the Bro
mailing list