[Bro] Intel.log wrong format

-- Rodrigo Kroll -- rodrigokroll at gmail.com
Tue Jan 24 07:39:52 PST 2017 

Good morning guys,

I'm using the INTEL bro framework successfully. I'm having a hard time to
understand why inside my intel.log file, the information "Intel::ADDR" is
showing twice. In identified by the fields "seen.indicator_type" and
"matched sources".

Which seems wrong, in my understanding matched sources should've been
identified by the text "Bad Reputation Domain", which is actually end up
being identified as the field "fuid".

A log sample is below:

root at BroTest:~# zcat
/usr/local/bro/logs/2017-01-23/intel.13\:00\:00-14\:00\:00.log.gz
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   intel
#open   2017-01-23-13-01-54
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h
id.resp_p       seen.indicator  seen.indicator_type     seen.where
 seen.node       matched sources fuid    file_mime_type  file_desc
#types  time    string  addr    port    addr    port    string  enum
 enum    string  set[enum]       set[string]     string  string  string
1485194513.356126       CVmspB2e68PB5ZiXU5      192.168.1.3     47712
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485194630.876093       CT0uqm4aoaPeGA2RU4      192.168.1.3     47714
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485194636.036057       CbG2JX2YHPJXciEb59      192.168.1.3     47716
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485194640.586000       CCEoOs3ka9x4Qeqo7f      192.168.1.3     47718
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485195059.276054       CyJZA6iIJMyaC6QL8       192.168.1.100   41913
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485195061.556121       Cogijk3k5VH5Oxp9o9      192.168.1.3     47720
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485195102.716131       CYGoic29UuEmw9iO5       192.168.1.3     47722
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -
1485195327.906063       CinQa13NxfIZEwyg73      192.168.1.3     47724
XXX.XXX.XXX.XXX  80      XXX.XXX.XXX.XXX  Intel::ADDR     Conn::IN_RESP
bro     Intel::ADDR     Bad Reputation Domain   -       -       -

Any help would be very useful! Thank you


-- 
Rodrigo Kroll
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170124/f905843e/attachment-0001.html

More information about the Bro mailing list