[Zeek] threat intel questions

Wed Apr 17 11:00:00 PDT 2019

Thank you Michael. 

One last weird question, is there a way to have threat intel events with a different source (or a different threat intel file altogether) write out to another log - like to the feed2.txt file would write to intel2.log?
——

> On Apr 15, 2019, at 11:59 PM, Michael Shirk <shirkdog.bsd at gmail.com> wrote:
> 
> Format of the Intel files is critical, there should be errors in the reporter.log on startup if there are any issues with the formatting of the file. Most important issue is tab separated fields in your Intel files, next being that you have all of the necessary fields.
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> https://www.daemon-security.com
> 
>> On Mon, Apr 15, 2019, 22:15 Ambros Novak <ambros.novak.89 at gmail.com> wrote:
>> Thank you, Jan.
>> 
>> 
>> I'm unable to to get any threat intel events. The specific feed file was added in local.bro and the policy was redeployed. The intel.log is not being generated.
>> 
>> Is there a verbose debugging or warning when the policy is deployed to check for errors? 
>> 
>> What is the best way to test the threat intel framework and events?
>> 
>> If the syntax of the feed.txt is bad will it cause the no events in intel.log?  
>> 
>> Will unicode characters (non-ASCII) in the feed.txt cause an error or break the threat intel framework?
>> 
>> Will multi-line values in the source, desc, or url cause the threat intel framework to not work?
>> 
>> Thank you in advance for the help!!!
>> 
>>> On Thu, Apr 11, 2019 at 7:25 AM Jan Grashöfer <jan.grashoefer at gmail.com> wrote:
>>> On 11/04/2019 03:57, Ambros Novak wrote:
>>> > Is there a way to add meta.url and meta.desc to intel.log?
>>> 
>>> In theory there is but you have to keep in mind that multiple meta data 
>>> records might be associated with a single indicator that matched. This 
>>> is also why the sources field in intel.log is a set. See the following 
>>> blog post for more details: 
>>> https://blog.zeek.org/2016/12/the-intelligence-framework-update.html
>>> 
>>> > For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
>>> > local.bro?
>>> 
>>> Scripts in base/ should be loaded by default. If you don't see hits on 
>>> file names try to spot them in files.log first.
>>> 
>>> > Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
>>> > authentihash?
>>> > 
>>> > Will Intel::CERT_HASH detect MD5 or SHA256?
>>> > 
>>> > Will the intel frame detect part of part a URL or does only the full URL?
>>> > 
>>> > Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove
>>> > the "@" and add it to Intel::Domain?
>>> 
>>> To understand how the different indicators work just have a look at the 
>>> corresponding seen scripts: 
>>> https://github.com/zeek/zeek/tree/master/scripts/policy/frameworks/intel/seen
>>> 
>>> For example in case of Intel::FILE_HASH the file_hash event is used, 
>>> which is triggered "each time file analysis generates a digest".
>>> 
>>> > Does meta.do_notice have to be set to T for an event to get logged into
>>> > intel.log?
>>> 
>>> No. Setting do_notice to T will cause a notice to be generated. More 
>>> info on notices can be found here: 
>>> https://docs.zeek.org/en/stable/frameworks/notice.html
>>> 
>>> Jan
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190417/15426a6a/attachment.html 