[Bro] Issues with intel framework
Azoff, Justin S
jazoff at illinois.edu
Fri Sep 16 12:49:04 PDT 2016
> On Sep 16, 2016, at 2:59 PM, James Gordon <gordonjamesr at gmail.com> wrote:
>
> Thanks Justin!
>
> Adding an entry for www.reddit.com:443 seemed to do the trick. I’ll experiment with removing the port from the http-headers.bro file in a test environment so that we don’t have to add duplicate entries for all https sites. Unfortunately, I added another entry in the intel_domains.dat file for www.linux.com:443, and that still is not firing intel hits.
Is www.linux.com or www.linux.com:443 showing up anywhere? It should be in at least some of the dns/http/ssl logs
> I have '@load intel' in my local.bro file, and I modified intel’s __load__.bro to include the new intel_domains.dat (as found in the original attachment). Is that all that should be necessary to load a new .dat into the intel framework?
Don't modify any of the installed scripts. If you want to load an additional intel file use
redef Intel::read_files += {
"/some/filename.dat"
};
in your local.bro or another script that you load from your local.bro
To avoid hardcoding the full path you can use
redef Intel::read_files += {
fmt("%s/filename.dat", @DIR)
};
> Also, thanks for explaining the way connections are alerted on! I see value in alerting on failed outbound connections that we’re suspicious about.
> This is probably a dumb question, but should I replace $bropath/policy/frameworks/intel/seen/conn-established.bro with a conn-attempted.bro, or will it be necessary to use both if I want to be alerted on both successful and attempted connections?
>
> Thanks again,
>
> James Gordon
>
You'll need both. Create a intel-conn-attempted.bro file next to your local.bro and include the code there.
--
- Justin Azoff
More information about the Bro
mailing list