[Bro] bro intel {INTEL::URL} date file format check
ps sunu
pssunu6 at gmail.com
Mon Jun 18 00:28:35 PDT 2018
thanks justin , for helping , the intel file have one blank space intel
On Fri, Jun 15, 2018 at 11:12 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
> I think I figured out what is happening here. Are any of the indicators
> in your .intel file blank?
>
>
> find_urls and find_all_urls_without_scheme consider http:// or even
> xxx:// a link, and find_all_urls_without_scheme turns that into just "":
>
> event bro_init()
> {
> local s = "hello xxx://";
> local urls = find_all_urls_without_scheme(s);
> for ( url in urls ) {
> print fmt("Got [%s]", url);
> }
> }
>
> outputs:
>
> Got []
>
> so if your .intel file has any empty urls and bro sees a link like http://,
> i'll do what you are seeing.
>
> —
> Justin Azoff
>
> > On Jun 15, 2018, at 12:59 PM, ps sunu <pssunu6 at gmail.com> wrote:
> >
> > we are creating from
> >
> > wget -N http://cybercrime-tracker.net/all.php
> >
> > ./mal-dns2bro.sh -T url -f all.php -s cybercrime-url -n true >
> cybercrime_url.intel
> >
> > On Fri, Jun 15, 2018 at 10:21 PM, ps sunu <pssunu6 at gmail.com> wrote:
> > {"ts":1529049750.133943,"uid":"CHZHCR1m2zAzOqJer7","id.orig_
> h":"10.10.49.11","id.orig_p":5345,"id.resp_h":"149.96.16.
> 51","id.resp_p":25,"seen.indicator":"","seen.indicator_
> type":"Intel::URL","seen.where":"SMTP::IN_MESSAGE","
> seen.node":"worker-1-4","matched":["Intel::URL"],"
> sources":["cybercrime-url"]}
> >
> >
> >
> > On Fri, Jun 15, 2018 at 10:09 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> >
> > > On Jun 15, 2018, at 12:32 PM, ps sunu <pssunu6 at gmail.com> wrote:
> > >
> > > Hi,
> > > I am using bro intel , INTEL::URL as below
> format
> > >
> > > #fields indicator indicator_type meta.source meta.url
> meta.do_notice meta.if_in meta.whitelist
> > > hardcomng.com/doc/Main/ Intel::URL cybercrime-url - T
> - -
> > > hardcomng.com/diamond/ Intel::URL cybercrime-url - T
> - -
> > > hardcomng.com/doc/Formgrab/ Intel::URL cybercrime-url -
> T - -
> > > hardcomng.com/panel/login/ Intel::URL cybercrime-url -
> T - -
> > > name.xcution.pw/ Intel::URL cybercrime-url - T
> - -
> > > melatidanes.com/m3l4t1DANES/asset/js/connect/login.php Intel::URL
> cybercrime-url - T - -
> > > forwarderindia.cf/dollarspanel/login.php Intel::URL
> cybercrime-url - T - -
> > > nobles-iq.com/WebPanel/login.php Intel::URL
> cybercrime-url - T - -
> > >
> > >
> > > but i am facing one problem in intel log seen.indicator is
> showing blank
> > >
> > > "seen.indicator":"" this place url need to came
> > >
> > >
> > > is my format is wrong ? i am using mal-dns2bro.sh script for
> formatting
> >
> > What does your full intel.log line look like? I'm not sure how
> indicator could be blank, as that's what triggers the log event in the
> first place.
> >
> > —
> > Justin Azoff
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180618/81e23835/attachment.html
More information about the Bro
mailing list