[Bro] broctl status peers 0 / critical stack is running?

Federico Olivieri lvrfrc87 at gmail.com
Wed Sep 28 04:05:39 PDT 2016 

Thanks to everyone for the answers.

So, the files are there

*root at raspberrypi:/opt/critical-stack/frameworks/intel# tail
master-public.bro.dat*
177.78.208.98 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via
intel.criticalstack.com F
8yhn3hlvcc.centade.com Intel::DOMAIN from http://hosts-file.net/emd.txt via
intel.criticalstack.com F
0rx.ru Intel::DOMAIN from http://hosts-file.net/pha.txt via
intel.criticalstack.com F
5.167.64.14 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via
intel.criticalstack.com F
jjl2au.3v2b7sh2.com Intel::DOMAIN from http://hosts-file.net/emd.txt via
intel.criticalstack.com F
nl.secure-update-get.org Intel::DOMAIN from http://hosts-file.net/emd.txt
via intel.criticalstack.com F
sekaminerva.com Intel::DOMAIN from http://hosts-file.net/psh.txt via
intel.criticalstack.com F
www.apple-sd-icloud.com Intel::DOMAIN from http://hosts-file.net/psh.txt
via intel.criticalstack.com F
gracemi.com Intel::DOMAIN from http://hosts-file.net/emd.txt via
intel.criticalstack.com F
bitminemart.com Intel::DOMAIN from http://hosts-file.net/fsa.txt via
intel.criticalstack.com F

*root at raspberrypi:/opt/critical-stack/frameworks/intel# more __load__.bro *
@load ./feeds.bro

*root at raspberrypi:/opt/critical-stack/frameworks/intel# more feeds.bro *
@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
"/opt/critical-stack/frameworks/intel/master-public.bro.dat"
};

Then, I have the files under file under these directories  (slightly
different from what you suggested but it should be good anyway)

/opt/bro/share/bro/base/frameworks/intel
/opt/bro/share/bro/base/frameworks/intel/cluster.bro
/opt/bro/share/bro/base/frameworks/intel/input.bro
/opt/bro/share/bro/base/frameworks/intel/__load__.bro
/opt/bro/share/bro/base/frameworks/intel/main.bro
/opt/bro/share/bro/policy/frameworks/intel
/opt/bro/share/bro/policy/frameworks/intel/do_notice.bro
/opt/bro/share/bro/policy/frameworks/intel/seen
/opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/__load__.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/pubkey-hashes.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/x509.bro
/opt/bro/share/bro/policy/integration/collective-intel
/opt/bro/share/bro/policy/integration/collective-intel/__load__.bro
/opt/bro/share/bro/policy/integration/collective-intel/main.bro

Can you please confirm if everything is right from your point of view/ I
have tried to use Tor as indicated from the guide but I couldn't see any
intel.log file under BRO directory

Federico

2016-09-26 16:47 GMT+01:00 <tgdesrochers at gmail.com>:

> I believe if it is working correctly you will find the file
> “master-public.bro.dat” inside the criticalstack install directory.  The
> path to that file needs to be added to your __load__.bro in your
> /usr/local/bro/share/bro/intel/ directory.  Then make sure you load the
> intel framework in your local.bro and you should be good to go.
>
>
>
>
>
>
>
> *From: *Gary Faulkner <gfaulkner.nsm at gmail.com>
> *Sent: *Sunday, September 25, 2016 1:22 PM
> *To: *Federico Olivieri <lvrfrc87 at gmail.com>
> *Cc: *bro at bro.org
> *Subject: *Re: [Bro] broctl status peers 0 / critical stack is running?
>
>
>
> I haven't set up Critical Stack before, but my understanding is that if
> set up correctly you should be seeing an intel.log file being generated.
> There is an article over at Taosecurity that includes a link to a Google
> Doc with better details than I can provide. Link below:
>
> http://taosecurity.blogspot.com/2015/01/try-critical-
> stack-intel-client.html
>
> ~Gary
>
>
>
> On 9/24/2016 3:02 AM, Federico Olivieri wrote:
>
> Thanks Gary for the info! Are you able to provide me info about my second
> question as well?
>
>
>
> 2-How can I check if critical-stuck is "feeding" BRO?
>
>
>
> Federico
>
>
>
> 2016-09-23 17:30 GMT+01:00 Gary Faulkner <gfaulkner.nsm at gmail.com>:
>
> The peer column is for when you operate Bro in cluster mode. It will show
> how many workers are connected to the manager and proxies. Since you are in
> stand-alone mode, this will not show any peers.
>
> ~Gary
>
>
>
> On 9/23/2016 10:59 AM, Federico Olivieri wrote:
>
> Hi everybody,
>
> I'm new in BRO and first of all I would say...thank you for the great
> product developed! It is such good and well done! Easy to use! I love it
> the integration with critical stack!
>
>
>
> I have managed to set up and run BRO on my raspi and everything is ok.
> Just a couple of questions:
>
>
>
> 1-Can someone explain me the meaning of Peer column?
>
>
>
> root at raspberrypi:~# broctl status
>
> Getting process status ...
>
> Getting peer status ...
>
> Name         Type       Host          Status    Pid    Peers  Started
>
> bro          standalone localhost     running   6695   0      23 Sep
> 08:55:03
>
>
>
> 2-How can I check if critical-stuck is "feeding" BRO?
>
> Thanks!
> Federico
>
>
>
> _______________________________________________
>
> Bro mailing list
>
> bro at bro-ids.org
>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/92a3ffca/attachment.html

More information about the Bro mailing list