[Bro] Issues with intel framework

[Azoff, Justin S]

> On Sep 16, 2016, at 2:59 PM, James Gordon <gordonjamesr at gmail.com> wrote:
> 
> Thanks Justin!
> 
> Adding an entry for www.reddit.com:443 seemed to do the trick. I’ll experiment with removing the port from the http-headers.bro file in a test environment so that we don’t have to add duplicate entries for all https sites. Unfortunately, I added another entry in the intel_domains.dat file for www.linux.com:443, and that still is not firing intel hits.

Is www.linux.com or www.linux.com:443 showing up anywhere?  It should be in at least some of the dns/http/ssl logs

> I have '@load intel' in my local.bro file, and I modified intel’s __load__.bro to include the new intel_domains.dat (as found in the original attachment). Is that all that should be necessary to load a new .dat into the intel framework? 

Don't modify any of the installed scripts.  If you want to load an additional intel file use

redef Intel::read_files += {
	"/some/filename.dat"
};

in your local.bro or another script that you load from your local.bro

To avoid hardcoding the full path you can use

redef Intel::read_files += {
	fmt("%s/filename.dat", @DIR)
};


> Also, thanks for explaining the way connections are alerted on! I see value in alerting on failed outbound connections that we’re suspicious about.
> This is probably a dumb question, but should I replace $bropath/policy/frameworks/intel/seen/conn-established.bro with a conn-attempted.bro, or will it be necessary to use both if I want to be alerted on both successful and attempted connections?
> 
> Thanks again,
> 
> James Gordon
> 

You'll need both.  Create a intel-conn-attempted.bro file next to your local.bro and include the code there.


-- 
- Justin Azoff