[Zeek] threat intel questions
Ambros Novak
ambros.novak.89 at gmail.com
Mon Apr 15 18:33:09 PDT 2019
Thank you, Jan.
I'm unable to to get any threat intel events. The specific feed file was
added in local.bro and the policy was redeployed. The intel.log is not
being generated.
Is there a verbose debugging or warning when the policy is deployed to
check for errors?
What is the best way to test the threat intel framework and events?
If the syntax of the feed.txt is bad will it cause the no events in
intel.log?
Will unicode characters (non-ASCII) in the feed.txt cause an error or break
the threat intel framework?
Will multi-line values in the source, desc, or url cause the threat intel
framework to not work?
Thank you in advance for the help!!!
On Thu, Apr 11, 2019 at 7:25 AM Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:
> On 11/04/2019 03:57, Ambros Novak wrote:
> > Is there a way to add meta.url and meta.desc to intel.log?
>
> In theory there is but you have to keep in mind that multiple meta data
> records might be associated with a single indicator that matched. This
> is also why the sources field in intel.log is a set. See the following
> blog post for more details:
> https://blog.zeek.org/2016/12/the-intelligence-framework-update.html
>
> > For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
> > local.bro?
>
> Scripts in base/ should be loaded by default. If you don't see hits on
> file names try to spot them in files.log first.
>
> > Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
> > authentihash?
> >
> > Will Intel::CERT_HASH detect MD5 or SHA256?
> >
> > Will the intel frame detect part of part a URL or does only the full URL?
> >
> > Will "@domain.com" work in the Intel::EMAIL, or is it best to just
> remove
> > the "@" and add it to Intel::Domain?
>
> To understand how the different indicators work just have a look at the
> corresponding seen scripts:
>
> https://github.com/zeek/zeek/tree/master/scripts/policy/frameworks/intel/seen
>
> For example in case of Intel::FILE_HASH the file_hash event is used,
> which is triggered "each time file analysis generates a digest".
>
> > Does meta.do_notice have to be set to T for an event to get logged into
> > intel.log?
>
> No. Setting do_notice to T will cause a notice to be generated. More
> info on notices can be found here:
> https://docs.zeek.org/en/stable/frameworks/notice.html
>
> Jan
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190415/48e3367f/attachment.html
More information about the Zeek
mailing list