[Bro] Help with intel framework
Lee Shiry
lee at shiry.org
Fri Nov 16 09:23:05 PST 2018
Hi,
I am trying to use Bro's intel framework and can't seem to get it to
generate anything in the intel or notice logs. I'm on version 2.5.5 in
cluster mode. Everything else seems to work fine. I see all the logs,
and notices are working for other event types. I have checked to make
sure the dat file has only tabs in it to separate fields. I don't see
anything coming up in the stderr or reporter log files. I must be
missing something. Any help is appreciated.
Here is what I have added to local.bro:
##################
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/usr/local/intel-bad-user-agents.dat",
};
##################
Here is the dat file:
##################
# cat /usr/local/intel-bad-user-agents.dat
#fields indicator indicator_type meta.do_notice meta.if_in
360Spider Intel::SOFTWARE T HTTP::IN_USER_AGENT_HEADER
Mozilla Intel::SOFTWARE T HTTP::IN_USER_AGENT_HEADER
##################
(I temporarily put Mozilla in there to generate lots of events for
testing purposes)
Thanks,
lms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181116/01ae40af/attachment.html
More information about the Bro
mailing list