[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 10:06:33 PST 2018


So mystery #1 solved:  Intel::DOMAIN != tld domain; cool  Next up...with
these same files only having this in the intel-1.dat file: 

192.168.1.1     Intel::ADDR     testip 

the above is tabbed formatted correctly.  Now...running against both
pcaps I get no intel hits.  Here is the only entries in the trace file
that show Intel::ADDR: 

}]', tpe = 'Input::EVENT_NEW', item = '[indicator=192.168.1.1,
indicator_type=Intel::ADDR, meta=[source=testip, desc=<uninitialized>,
url=<uninitialized>]]')
0.000000 /opt/bro/share/bro/base/frameworks/intel/./main.bro:469
function called: Intel::insert(item = '[indicator=192.168.1.1,
indicator_type=Intel::ADDR, meta=[source=testip, desc=<uninitialized>,
url=<uninitialized>]]')
0.000000 /opt/bro/share/bro/base/frameworks/intel/./main.bro:400 Builtin
Function called: to_lower(str = '192.168.1.1')
0.000000 /opt/bro/share/bro/base/frameworks/intel/./main.bro:400
Function return: 192.168.1.1
0.000000 /opt/bro/share/bro/base/frameworks/intel/./main.bro:404 Builtin
Function called: to_addr(ip = '192.168.1.1')
0.000000 /opt/bro/share/bro/base/frameworks/intel/./main.bro:404
Function return: 192.168.1.1
0.000000 /opt/bro/share/bro/base/frameworks/input/./main.bro:248 event
called: Input::end_of_data(name =
'intel-/home/user/dev/bro/intel/./intel-1.dat', source =
'/home/user/dev/bro/intel/./intel-1.dat')
0.000000 /opt/bro/share/bro/base/utils/./exec.bro:102 Builtin Function
called: split_string1(str =
'intel-/home/user/dev/bro/intel/./intel-1.dat', re = '/^?(_)$?/')
0.000000 /opt/bro/share/bro/base/utils/./exec.bro:102 Function return:
[intel-/home/user/dev/bro/intel/./intel-1.dat]
1516289219.143906
/opt/bro/share/bro/base/misc/find-checksum-offloading.bro:62 event
called: ChecksumOffloading::check()
1516289219.143906
/opt/bro/share/bro/base/misc/find-checksum-offloading.bro:29 Builtin
Function called: get_net_stats()
1516289219.143906
/opt/bro/share/bro/base/misc/find-checksum-offloading.bro:29 Function
return: [pkts_recvd=1, pkts_dropped=0, pkts_link=0, bytes_recvd=73]
1516289219.143906
/opt/bro/share/bro/base/frameworks/packet-filter/./main.bro:157 event
called: filter_change_tracking()
1516289219.143906 /opt/bro/share/bro/base/bif/event.bif.bro:88 event
called: new_connection(c = '[id=[orig_h=192.168.1.2, orig_p=62196/udp,
resp_h=192.168.1.1, resp_p=53/udp], orig=[size=31, state=1, num_pkts=0,
num_bytes_ip=0, flow_label=0, l2_addr=48:4d:7e:a3:53:5e], resp=[size=0,
state=0, num_pkts=0, num_bytes_ip=0, flow_label=0,
l2_addr=00:08:e3:ff:fc:04], start_time=1516289219.143906, duration=0.0,
service={ 

Here too, is there something I'm missing?  In testing a different packet
captures using TCP, I get intel...so does the Intel framework not
support UDP?  Thank you. 

James 

On 2018-01-18 10:42, James Lay wrote:

> Wait what?  So....it looks like www.yahoo.com [1] matches, but yahoo.com doesn't? 
> 
> That kinda nukes the whole match any bad host with domain ;)  Thank you can lend a hand Seth?  Thanks. 
> 
> James
> 
> On 2018-01-18 10:33, Azoff, Justin S wrote: On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> ... 
> yahoo.com Intel::DOMAIN testdomain
> ... 
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [1] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F
> 
> and no intel.log.  What's different here?  Would love to know what I'm missing..thank you. 
> www.yahoo.com [1] is not yahoo.com
> 
> You need an intel::seen even that uses
> https://github.com/sethhall/domain-tld to get that to match.  I
> thought someone wrote a package that did this, but apparently not.
> 
> -- 
> Justin Azoff

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro 

  

Links:
------
[1] http://www.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/2fc16a25/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-01-18 10_35_16-fetchtrace.txt - Visual Studio Code.png
Type: image/png
Size: 32839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/2fc16a25/attachment-0001.bin 


More information about the Bro mailing list