[Bro] bro intel {INTEL::URL} date file format check

Azoff, Justin S jazoff at illinois.edu
Fri Jun 15 10:42:35 PDT 2018 

I think I figured out what is happening here.  Are any of the indicators in your .intel file blank?


find_urls and find_all_urls_without_scheme consider http:// or even xxx:// a link, and find_all_urls_without_scheme turns that into just "":

event bro_init()
{
    local s = "hello xxx://";
    local urls = find_all_urls_without_scheme(s);
    for ( url in urls ) {
        print fmt("Got [%s]", url);
    }
}

outputs:

Got []

so if your .intel file has any empty urls and bro sees a link like http://, i'll do what you are seeing.

— 
Justin Azoff

> On Jun 15, 2018, at 12:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
> 
> we are creating from
> 
> wget -N http://cybercrime-tracker.net/all.php
> 
> ./mal-dns2bro.sh -T url -f all.php -s cybercrime-url -n true > cybercrime_url.intel
> 
> On Fri, Jun 15, 2018 at 10:21 PM, ps sunu <pssunu6 at gmail.com> wrote:
> {"ts":1529049750.133943,"uid":"CHZHCR1m2zAzOqJer7","id.orig_h":"10.10.49.11","id.orig_p":5345,"id.resp_h":"149.96.16.51","id.resp_p":25,"seen.indicator":"","seen.indicator_type":"Intel::URL","seen.where":"SMTP::IN_MESSAGE","seen.node":"worker-1-4","matched":["Intel::URL"],"sources":["cybercrime-url"]}
> 
> 
> 
> On Fri, Jun 15, 2018 at 10:09 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> > On Jun 15, 2018, at 12:32 PM, ps sunu <pssunu6 at gmail.com> wrote:
> > 
> > Hi,
> >                       I am using bro intel , INTEL::URL as below format 
> > 
> > #fields indicator       indicator_type  meta.source     meta.url        meta.do_notice  meta.if_in      meta.whitelist
> > hardcomng.com/doc/Main/ Intel::URL      cybercrime-url  -       T       -       -
> > hardcomng.com/diamond/  Intel::URL      cybercrime-url  -       T       -       -
> > hardcomng.com/doc/Formgrab/     Intel::URL      cybercrime-url  -       T       -       -
> > hardcomng.com/panel/login/      Intel::URL      cybercrime-url  -       T       -       -
> > name.xcution.pw/        Intel::URL      cybercrime-url  -       T       -       -
> > melatidanes.com/m3l4t1DANES/asset/js/connect/login.php  Intel::URL      cybercrime-url  -       T       -       -
> > forwarderindia.cf/dollarspanel/login.php        Intel::URL      cybercrime-url  -       T       -       -
> > nobles-iq.com/WebPanel/login.php        Intel::URL      cybercrime-url  -       T       -       -
> > 
> > 
> >           but i am facing one problem in intel log seen.indicator is showing blank
> > 
> > "seen.indicator":""      this place url need to came
> > 
> > 
> > is my format is wrong ?  i am using mal-dns2bro.sh script for formatting 
> 
> What does your full intel.log line look like?  I'm not sure how indicator could be blank, as that's what triggers the log event in the first place.
> 
>> Justin Azoff
> 
> 
>

More information about the Bro mailing list