[Bro] bro intel {INTEL::URL} date file format check
Azoff, Justin S
jazoff at illinois.edu
Fri Jun 15 09:39:11 PDT 2018
> On Jun 15, 2018, at 12:32 PM, ps sunu <pssunu6 at gmail.com> wrote:
>
> Hi,
> I am using bro intel , INTEL::URL as below format
>
> #fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in meta.whitelist
> hardcomng.com/doc/Main/ Intel::URL cybercrime-url - T - -
> hardcomng.com/diamond/ Intel::URL cybercrime-url - T - -
> hardcomng.com/doc/Formgrab/ Intel::URL cybercrime-url - T - -
> hardcomng.com/panel/login/ Intel::URL cybercrime-url - T - -
> name.xcution.pw/ Intel::URL cybercrime-url - T - -
> melatidanes.com/m3l4t1DANES/asset/js/connect/login.php Intel::URL cybercrime-url - T - -
> forwarderindia.cf/dollarspanel/login.php Intel::URL cybercrime-url - T - -
> nobles-iq.com/WebPanel/login.php Intel::URL cybercrime-url - T - -
>
>
> but i am facing one problem in intel log seen.indicator is showing blank
>
> "seen.indicator":"" this place url need to came
>
>
> is my format is wrong ? i am using mal-dns2bro.sh script for formatting
What does your full intel.log line look like? I'm not sure how indicator could be blank, as that's what triggers the log event in the first place.
—
Justin Azoff
More information about the Bro
mailing list