[Zeek] threat intel questions
Jan Grashöfer
jan.grashoefer at gmail.com
Thu Apr 11 04:22:44 PDT 2019
On 11/04/2019 03:57, Ambros Novak wrote:
> Is there a way to add meta.url and meta.desc to intel.log?
In theory there is but you have to keep in mind that multiple meta data
records might be associated with a single indicator that matched. This
is also why the sources field in intel.log is a set. See the following
blog post for more details:
https://blog.zeek.org/2016/12/the-intelligence-framework-update.html
> For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
> local.bro?
Scripts in base/ should be loaded by default. If you don't see hits on
file names try to spot them in files.log first.
> Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
> authentihash?
>
> Will Intel::CERT_HASH detect MD5 or SHA256?
>
> Will the intel frame detect part of part a URL or does only the full URL?
>
> Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove
> the "@" and add it to Intel::Domain?
To understand how the different indicators work just have a look at the
corresponding seen scripts:
https://github.com/zeek/zeek/tree/master/scripts/policy/frameworks/intel/seen
For example in case of Intel::FILE_HASH the file_hash event is used,
which is triggered "each time file analysis generates a digest".
> Does meta.do_notice have to be set to T for an event to get logged into
> intel.log?
No. Setting do_notice to T will cause a notice to be generated. More
info on notices can be found here:
https://docs.zeek.org/en/stable/frameworks/notice.html
Jan
More information about the Zeek
mailing list