[Bro] bro intel {INTEL::URL} date file format check

ps sunu pssunu6 at gmail.com
Fri Jun 15 09:59:35 PDT 2018


we are creating from

wget -N http://cybercrime-tracker.net/all.php

./mal-dns2bro.sh -T url -f all.php -s cybercrime-url -n true >
cybercrime_url.intel

On Fri, Jun 15, 2018 at 10:21 PM, ps sunu <pssunu6 at gmail.com> wrote:

> {"ts":1529049750.133943,"uid":"CHZHCR1m2zAzOqJer7","id.orig_
> h":"10.10.49.11","id.orig_p":5345,"id.resp_h":"149.96.16.
> 51","id.resp_p":25,"seen.indicator":"","seen.indicator_
> type":"Intel::URL","seen.where":"SMTP::IN_MESSAGE","
> seen.node":"worker-1-4","matched":["Intel::URL"],"
> sources":["cybercrime-url"]}
>
>
>
> On Fri, Jun 15, 2018 at 10:09 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Jun 15, 2018, at 12:32 PM, ps sunu <pssunu6 at gmail.com> wrote:
>> >
>> > Hi,
>> >                       I am using bro intel , INTEL::URL as below format
>> >
>> > #fields indicator       indicator_type  meta.source     meta.url
>> meta.do_notice  meta.if_in      meta.whitelist
>> > hardcomng.com/doc/Main/ Intel::URL      cybercrime-url  -       T
>>  -       -
>> > hardcomng.com/diamond/  Intel::URL      cybercrime-url  -       T
>>  -       -
>> > hardcomng.com/doc/Formgrab/     Intel::URL      cybercrime-url  -
>>  T       -       -
>> > hardcomng.com/panel/login/      Intel::URL      cybercrime-url  -
>>  T       -       -
>> > name.xcution.pw/        Intel::URL      cybercrime-url  -       T
>>  -       -
>> > melatidanes.com/m3l4t1DANES/asset/js/connect/login.php  Intel::URL
>>   cybercrime-url  -       T       -       -
>> > forwarderindia.cf/dollarspanel/login.php        Intel::URL
>> cybercrime-url  -       T       -       -
>> > nobles-iq.com/WebPanel/login.php        Intel::URL
>> cybercrime-url  -       T       -       -
>> >
>> >
>> >           but i am facing one problem in intel log seen.indicator is
>> showing blank
>> >
>> > "seen.indicator":""      this place url need to came
>> >
>> >
>> > is my format is wrong ?  i am using mal-dns2bro.sh script for
>> formatting
>>
>> What does your full intel.log line look like?  I'm not sure how indicator
>> could be blank, as that's what triggers the log event in the first place.
>>
>>>> Justin Azoff
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180615/aac4054c/attachment.html 


More information about the Bro mailing list