[Bro] Intel.log wrong format

-- Rodrigo Kroll -- rodrigokroll at gmail.com
Tue Jan 24 08:24:55 PST 2017 

Hello ALL,

Fatema, you are right! Thank you so much!

Have a great day

On Tue, Jan 24, 2017 at 11:13 AM, fatema bannatwala <
fatema.bannatwala at gmail.com> wrote:

> Hi Rodrigo,
>
> I had the same feeling when I first looked at my intel.log file.
> The thing is that "matched" and "sources" are two different fields.
> What you are seeing is correct, with Intel::ADDR in "matched" and
> Bad Reputation Domain in "sources" field.
>
> -Fatema.
>
> P.S: Here is the description of the intel record:
>
> Type:
>
> record
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-record>
> ts: time
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-time>
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>
> Timestamp when the data was discovered.
> uid: string
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> If a connection was associated with this intelligence hit, this is the uid
> for the connection
> id: conn_id
> <https://www.bro.org/sphinx-git/scripts/base/init-bare.bro.html#type-conn_id>
>  &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> If a connection was associated with this intelligence hit, this is the
> conn_id for the connection.
> seen: Intel::Seen
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::Seen>
>  &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>
> Where the data was seen.
> matched: Intel::TypeSet
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::TypeSet>
>  &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>
> Which indicator types matched.
> sources: set
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-set> [
> string
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-string>]
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &default
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&default>
>  = {  } &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> Sources which supplied data that resulted in this match.
> fuid: string
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> (present if *base/frameworks/intel/files.bro*
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html> is
> loaded)
>
> If a file was associated with this intelligence hit, this is the uid for
> the file.
> file_mime_type: string
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> (present if *base/frameworks/intel/files.bro*
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html> is
> loaded)
>
> A mime type if the intelligence hit is related to a file. If the $f field
> is provided this will be automatically filled out.
> file_desc: string
> <https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
> &log
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
>  &optional
> <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>
>
> (present if *base/frameworks/intel/files.bro*
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/files.bro.html> is
> loaded)
>
> Frequently files can be “described” to give a bit more context. If the $f
> field is provided this field will be automatically filled out.
>



-- 
Rodrigo Kroll
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170124/7c88145d/attachment-0001.html

More information about the Bro mailing list