[Bro] Help with intel framework

Lee Shiry lee at shiry.org
Fri Nov 16 13:26:57 PST 2018


I made a tracefile, and can see in there that it reads the dat file:

# cat tracefile.log |grep Input
0.000000
/usr/local/bro/share/bro/base/frameworks/input/./main.bro:263       
function called: Input::add_event(description =
'[source=/usr/local/intel-bad-user-agents.dat,
reader=Input::READER_ASCII, mode=Input::REREAD,
name=intel-/usr/local/intel-bad-user-agents.dat, fields=<no value
description>, want_record=T, ev=Intel::read_entry
0.000000
/usr/local/bro/share/bro/base/frameworks/input/./main.bro:263           
Builtin Function called: Input::__create_event_stream(description =
'[source=/usr/local/intel-bad-user-agents.dat,
reader=Input::READER_ASCII, mode=Input::REREAD,
name=intel-/usr/local/intel-bad-user-agents.dat, fields=<no value
description>, want_record=T, ev=Intel::read_entry
0.000000
/usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17    event
called: Intel::read_entry(desc =
'[source=/usr/local/intel-bad-user-agents.dat,
reader=Input::READER_ASCII, mode=Input::REREAD,
name=intel-/usr/local/intel-bad-user-agents.dat, fields=<no value
description>, want_record=T, ev=Intel::read_entry
}]', tpe = 'Input::EVENT_NEW', item = '[indicator=360Spider,
indicator_type=Intel::SOFTWARE, meta=[source=mysource,
desc=<uninitialized>, url=<uninitialized>, do_notice=F,
if_in=<uninitialized>]]')
0.000000
/usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17    event
called: Intel::read_entry(desc =
'[source=/usr/local/intel-bad-user-agents.dat,
reader=Input::READER_ASCII, mode=Input::REREAD,
name=intel-/usr/local/intel-bad-user-agents.dat, fields=<no value
description>, want_record=T, ev=Intel::read_entry
}]', tpe = 'Input::EVENT_NEW', item = '[indicator=Firefox,
indicator_type=Intel::SOFTWARE, meta=[source=mysource,
desc=<uninitialized>, url=<uninitialized>, do_notice=F,
if_in=<uninitialized>]]')
0.000000
/usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17    event
called: Intel::read_entry(desc =
'[source=/usr/local/intel-bad-user-agents.dat,
reader=Input::READER_ASCII, mode=Input::REREAD,
name=intel-/usr/local/intel-bad-user-agents.dat, fields=<no value
description>, want_record=T, ev=Intel::read_entry
}]', tpe = 'Input::EVENT_NEW', item = '[indicator=192.168.89.130,
indicator_type=Intel::ADDR, meta=[source=mysource, desc=<uninitialized>,
url=<uninitialized>, do_notice=F, if_in=<uninitialized>]]')
0.000000
/usr/local/bro/share/bro/base/frameworks/input/./main.bro:248    event
called: Input::end_of_data(name =
'intel-/usr/local/intel-bad-user-agents.dat', source =
'/usr/local/intel-bad-user-agents.dat')


On 11/16/18 4:09 PM, Lee Shiry wrote:
> I removed the comma, and added a line in the dat file using
> Intel::ADDR, still no intel.log.
>
> On 11/16/18 4:03 PM, fatema bannatwala wrote:
>> Hey,
>>
>> Just a quick check, Bro won't generate the intel.log if it's unable
>> to load the intel input file to read from.
>> was looking at your intel file re-definition:
>>
>> redef Intel::read_files += {
>>           "/usr/local/intel-bad-user-agents.dat",
>> };
>>
>> Can you remove the trailing "," after
>> "/usr/local/intel-bad-user-agents.dat" line and see if it works.
>> I am not sure if that line should be ended with a comma.
>>
>> Also,can you try with an "Intel::ADDR" type just to check if it's
>> getting triggered?
>> You can add any IP that you can test with Intel::ADDR and see if that
>> works.
>>
>> Fatema
>>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181116/3c235028/attachment.html 


More information about the Bro mailing list