[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 09:24:12 PST 2018 

In this particular test I haven't set it for either run.  Thanks
Michael. 

James 

On 2018-01-18 10:16, Michael Shirk wrote:

> What do you have your local_nets set to? 
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com 
> 
> On Jan 18, 2018 11:55, "James Lay" <jlay at slave-tothe-box.net> wrote:
> 
>> So I'm testing something completely unrelated to this issue, but I've run into something interesting.  First off following this works: 
>> 
>> https://www.bro.org/current/solutions/intel/index.html [1] 
>> 
>> my test intel-1.bro: 
>> @load frameworks/intel/seen
>> 
>> redef Intel::read_files += {
>> fmt("%s/intel-1.dat", @DIR)
>> }; 
>> 
>> my intel-1.dat file (whitespace=tab): 
>> #fields indicator indicator_type meta.source
>> fetchback.com [2] Intel::DOMAIN my_special_source
>> yahoo.com [3] Intel::DOMAIN testdomain 
>> 
>> I've carved out the dns request for fetchback.com [2] from the exercise packet capture, which I'm including.  Testing line below works just fine: 
>> 
>> bro -C -r exercise-traffic-fetch-dns.pcap intel-1.bro 
>> 
>> I see lot's of good stuff: 
>> conn.log
>> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 udp dns 0.200354 31 99 SF - - 0 Dd 1 59 1 127 (empty)
>> 
>> dns.log
>> 1258565309.806483       CVifWt1zc5YSG0Vhc9      192.168.1.103   53856   192.168.1.1     53      udp     4438    0.200354        fetchback.com [2]   1       C_INTERNET      1       A       0       NOERROR F       F      TT       0       69.71.52.52     1800.000000 F
>> 
>> intel.log
>> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 fetchback.com [2] Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN my_special_source - - -
>> 
>> however running against the included yahoodns.pcap here's what I get: 
>> conn.log 
>> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp dns 0.003246 31 124 SF - - 0 Dd 1 59 1 152 (empty)
>> 
>> dns.log 
>> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [4] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com [5],98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F 
>> 
>> and no intel.log.  What's different here?  Would love to know what I'm missing..thank you. 
>> 
>> James 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [6]

  

Links:
------
[1] https://www.bro.org/current/solutions/intel/index.html
[2] http://fetchback.com
[3] http://yahoo.com
[4] http://www.yahoo.com
[5] http://atsv2-fp.wg1.b.yahoo.com
[6] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/e8095b0b/attachment.html

More information about the Bro mailing list