[Bro] Intel.log wrong format

fatema bannatwala fatema.bannatwala at gmail.com
Tue Jan 24 08:13:11 PST 2017


Hi Rodrigo,

I had the same feeling when I first looked at my intel.log file.
The thing is that "matched" and "sources" are two different fields.
What you are seeing is correct, with Intel::ADDR in "matched" and
Bad Reputation Domain in "sources" field.

-Fatema.

P.S: Here is the description of the intel record:

Type:

record
<https://www.bro.org/sphinx-git/script-reference/types.html#type-record>
ts: time
<https://www.bro.org/sphinx-git/script-reference/types.html#type-time> &log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>

Timestamp when the data was discovered.
uid: string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

If a connection was associated with this intelligence hit, this is the uid
for the connection
id: conn_id
<https://www.bro.org/sphinx-git/scripts/base/init-bare.bro.html#type-conn_id>
 &log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

If a connection was associated with this intelligence hit, this is the
conn_id for the connection.
seen: Intel::Seen
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::Seen>
 &log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>

Where the data was seen.
matched: Intel::TypeSet
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::TypeSet>
 &log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>

Which indicator types matched.
sources: set
<https://www.bro.org/sphinx-git/script-reference/types.html#type-set> [
string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>]
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&default
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&default>
 = {  } &optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

Sources which supplied data that resulted in this match.
fuid: string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

(present if *base/frameworks/intel/files.bro*
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html>
is
loaded)

If a file was associated with this intelligence hit, this is the uid for
the file.
file_mime_type: string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

(present if *base/frameworks/intel/files.bro*
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html>
is
loaded)

A mime type if the intelligence hit is related to a file. If the $f field
is provided this will be automatically filled out.
file_desc: string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

(present if *base/frameworks/intel/files.bro*
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html>
is
loaded)

Frequently files can be “described” to give a bit more context. If the $f
field is provided this field will be automatically filled out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170124/7be1a8cb/attachment.html 


More information about the Bro mailing list