[Bro] Help with intel framework

Michael Shirk shirkdog.bsd at gmail.com
Fri Nov 16 09:47:32 PST 2018 

And I misread you already did check reporter. Sorry for the noise. I
would get a pcap and test this offline with the intel framework to
make sure everything is working as it should.
On Fri, Nov 16, 2018 at 12:44 PM Michael Shirk <shirkdog.bsd at gmail.com> wrote:
>
> The most important thing is the format of that ".dat" file. If you do
> not have tabs entered correctly, the files may not be loaded. Check
> your "reporter.log" to see if there are any errors with the input of
> your intel file.
>
> Example error:
> 0.000000        Reporter::WARNING
> /nsm/intel/custom.intel/Input::READER_ASCII: Field: meta.do_notice
> Invalid value for boolean: meta.do_notice    (empty)
> On Fri, Nov 16, 2018 at 12:24 PM Lee Shiry <lee at shiry.org> wrote:
> >
> > Hi,
> >
> > I am trying to use Bro's intel framework and can't seem to get it to generate anything in the intel or notice logs.  I'm on version 2.5.5 in cluster mode.  Everything else seems to work fine.  I see all the logs, and notices are working for other event types. I have checked to make sure the dat file has only tabs in it to separate fields.  I don't see anything coming up in the stderr or reporter log files.  I must be missing something.  Any help is appreciated.
> >
> > Here is what I have added to local.bro:
> >
> > ##################
> > @load frameworks/intel/seen
> > @load frameworks/intel/do_notice
> >
> > redef Intel::read_files += {
> >         "/usr/local/intel-bad-user-agents.dat",
> > };
> > ##################
> >
> >
> > Here is the dat file:
> >
> > ##################
> > # cat /usr/local/intel-bad-user-agents.dat
> > #fields    indicator    indicator_type    meta.do_notice    meta.if_in
> > 360Spider    Intel::SOFTWARE    T    HTTP::IN_USER_AGENT_HEADER
> > Mozilla    Intel::SOFTWARE    T    HTTP::IN_USER_AGENT_HEADER
> > ##################
> >
> > (I temporarily put Mozilla in there to generate lots of events for testing purposes)
> >
> >
> > Thanks,
> > lms
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com



-- 
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com

More information about the Bro mailing list