[Bro] Help with intel framework

Azoff, Justin S jazoff at illinois.edu
Fri Nov 16 13:43:57 PST 2018 

The HTTP::IN_USER_AGENT_HEADER needs to be an exact match, so unless you used a user agent of just "Mozilla" you would never get a hit.
________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Lee Shiry <lee at shiry.org>
Sent: Friday, November 16, 2018 2:44:33 PM
To: Michael Shirk
Cc: bro
Subject: Re: [Bro] Help with intel framework

I have tried several things in offline mode.  I am searching for "Firefox" in "Intel::IN_ANYWHERE", and still no intel hits, even though "firefox" clealry shows up in the http.log in the user agent field.

On 11/16/18 1:28 PM, Lee Shiry wrote:
I took a pcap file and ran it standalone against the file.  This time it complained that the requested field meta.source was missing.  I don't know why that was not showing up in the reporter or stderr logs.  I added the field, and now there are no errors, but still no intel.log.

On 11/16/18 12:47 PM, Michael Shirk wrote:

And I misread you already did check reporter. Sorry for the noise. I
would get a pcap and test this offline with the intel framework to
make sure everything is working as it should.
On Fri, Nov 16, 2018 at 12:44 PM Michael Shirk <shirkdog.bsd at gmail.com><mailto:shirkdog.bsd at gmail.com> wrote:


The most important thing is the format of that ".dat" file. If you do
not have tabs entered correctly, the files may not be loaded. Check
your "reporter.log" to see if there are any errors with the input of
your intel file.

Example error:
0.000000        Reporter::WARNING
/nsm/intel/custom.intel/Input::READER_ASCII: Field: meta.do_notice
Invalid value for boolean: meta.do_notice    (empty)
On Fri, Nov 16, 2018 at 12:24 PM Lee Shiry <lee at shiry.org><mailto:lee at shiry.org> wrote:


Hi,

I am trying to use Bro's intel framework and can't seem to get it to generate anything in the intel or notice logs.  I'm on version 2.5.5 in cluster mode.  Everything else seems to work fine.  I see all the logs, and notices are working for other event types. I have checked to make sure the dat file has only tabs in it to separate fields.  I don't see anything coming up in the stderr or reporter log files.  I must be missing something.  Any help is appreciated.

Here is what I have added to local.bro:

##################
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
        "/usr/local/intel-bad-user-agents.dat",
};
##################


Here is the dat file:

##################
# cat /usr/local/intel-bad-user-agents.dat
#fields    indicator    indicator_type    meta.do_notice    meta.if_in
360Spider    Intel::SOFTWARE    T    HTTP::IN_USER_AGENT_HEADER
Mozilla    Intel::SOFTWARE    T    HTTP::IN_USER_AGENT_HEADER
##################

(I temporarily put Mozilla in there to generate lots of events for testing purposes)


Thanks,
lms
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMDaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=QsGNffSpnvD7fMueBVWQjvpanS3NbAcDdaRSUvjTSvA&s=n7mxkUBQ8GtWKLM0DmUkWCvuwo_fX_Xu-RRdTLD10MU&e=>



--
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.daemon-2Dsecurity.com&d=DwMDaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=QsGNffSpnvD7fMueBVWQjvpanS3NbAcDdaRSUvjTSvA&s=0nyVXTNBSY8avOrgUQhsSV_lBptzcSfLMPkMWQ1X4io&e=>








_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMDaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=QsGNffSpnvD7fMueBVWQjvpanS3NbAcDdaRSUvjTSvA&s=n7mxkUBQ8GtWKLM0DmUkWCvuwo_fX_Xu-RRdTLD10MU&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181116/6242f998/attachment-0001.html

More information about the Bro mailing list