[Bro] A little more confusion with Intel
James Lay
jlay at slave-tothe-box.net
Thu Jan 18 09:33:07 PST 2018
Thanks...both entries are tabbed formatted...still digging on my end via
trace files.
James
On 2018-01-18 10:26, Michael Shirk wrote:
> Maybe tab formatting in the intel.dat file?
>
> I think you will get Reporter errors, so the first IOC works, but the second one does not because it cannot be parsed.
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
>
> On Jan 18, 2018 12:24, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> In this particular test I haven't set it for either run. Thanks Michael.
>
> James
>
> On 2018-01-18 10:16, Michael Shirk wrote:
> What do you have your local_nets set to?
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com [1]
>
> On Jan 18, 2018 11:55, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> So I'm testing something completely unrelated to this issue, but I've run into something interesting. First off following this works:
>
> https://www.bro.org/current/solutions/intel/index.html [2]
>
> my test intel-1.bro:
> @load frameworks/intel/seen
>
> redef Intel::read_files += {
> fmt("%s/intel-1.dat", @DIR)
> };
>
> my intel-1.dat file (whitespace=tab):
> #fields indicator indicator_type meta.source
> fetchback.com [3] Intel::DOMAIN my_special_source
> yahoo.com [4] Intel::DOMAIN testdomain
>
> I've carved out the dns request for fetchback.com [3] from the exercise packet capture, which I'm including. Testing line below works just fine:
>
> bro -C -r exercise-traffic-fetch-dns.pcap intel-1.bro
>
> I see lot's of good stuff:
> conn.log
> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 udp dns 0.200354 31 99 SF - - 0 Dd 1 59 1 127 (empty)
>
> dns.log
> 1258565309.806483 CVifWt1zc5YSG0Vhc9 192.168.1.103 53856 192.168.1.1 53 udp 4438 0.200354 fetchback.com [3] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 69.71.52.52 1800.000000 F
>
> intel.log
> 1258565309.806483 CmeOAzpOmlw26nOEi 192.168.1.103 53856 192.168.1.1 53 fetchback.com [3] Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN my_special_source - - -
>
> however running against the included yahoodns.pcap here's what I get:
> conn.log
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp dns 0.003246 31 124 SF - - 0 Dd 1 59 1 152 (empty)
>
> dns.log
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [5] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com [6],98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>
> and no intel.log. What's different here? Would love to know what I'm missing..thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [7]
Links:
------
[1] https://www.daemon-security.com
[2] https://www.bro.org/current/solutions/intel/index.html
[3] http://fetchback.com
[4] http://yahoo.com
[5] http://www.yahoo.com
[6] http://atsv2-fp.wg1.b.yahoo.com
[7] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/14cd6154/attachment-0001.html
More information about the Bro
mailing list