[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 09:33:07 PST 2018 

Thanks...both entries are tabbed formatted...still digging on my end via
trace files. 

James 

On 2018-01-18 10:26, Michael Shirk wrote:

> Maybe tab formatting in the intel.dat file?  
> 
> I think you will get Reporter errors, so the first IOC works, but the second one does not because it cannot be parsed.
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com 
> 
> On Jan 18, 2018 12:24, "James Lay" <jlay at slave-tothe-box.net> wrote:
> 
> In this particular test I haven't set it for either run.  Thanks Michael. 
> 
> James 
> 
> On 2018-01-18 10:16, Michael Shirk wrote: 
> What do you have your local_nets set to? 
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com [1] 
> 
> On Jan 18, 2018 11:55, "James Lay" <jlay at slave-tothe-box.net> wrote:
> 
> So I'm testing something completely unrelated to this issue, but I've run into something interesting.  First off following this works: 
> 
> https://www.bro.org/current/solutions/intel/index.html [2] 
> 
> my test intel-1.bro: 
> @load frameworks/intel/seen
> 
> redef Intel::read_files += {
> fmt("%s/intel-1.dat", @DIR)
> }; 
> 
> my intel-1.dat file (whitespace=tab): 
> #fields indicator indicator_type meta.source
> fetchback.com [3] Intel::DOMAIN my_special_source
> yahoo.com [4] Intel::DOMAIN testdomain 
> 
> I've carved out the dns request for fetchback.com [3] from the exercise packet capture, which I'm including.  Testing line below works just fine: 
> 
> bro -C -r exercise-traffic-fetch-dns.pcap intel-1.bro 
> 
> I see lot's of good stuff: 
> conn.log
> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 udp dns 0.200354 31 99 SF - - 0 Dd 1 59 1 127 (empty)
> 
> dns.log
> 1258565309.806483       CVifWt1zc5YSG0Vhc9      192.168.1.103   53856   192.168.1.1     53      udp     4438    0.200354        fetchback.com [3]   1       C_INTERNET      1       A       0       NOERROR F       F      TT       0       69.71.52.52     1800.000000 F
> 
> intel.log
> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 fetchback.com [3] Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN my_special_source - - -
> 
> however running against the included yahoodns.pcap here's what I get: 
> conn.log 
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp dns 0.003246 31 124 SF - - 0 Dd 1 59 1 152 (empty)
> 
> dns.log 
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [5] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com [6],98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F 
> 
> and no intel.log.  What's different here?  Would love to know what I'm missing..thank you. 
> 
> James 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [7]

  

Links:
------
[1] https://www.daemon-security.com
[2] https://www.bro.org/current/solutions/intel/index.html
[3] http://fetchback.com
[4] http://yahoo.com
[5] http://www.yahoo.com
[6] http://atsv2-fp.wg1.b.yahoo.com
[7] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/14cd6154/attachment-0001.html

More information about the Bro mailing list