[Zeek] Threat Intel Framework not generating intel.log

[Patrick Cain]

Hi,

 

You may already have done this stuff, but from my adventures with the intel
framework.

The reporter.log and the stderr.log spit out error messages when the intel
framework loads/changes/etc. If you're sure that you're loading all three
intel scripts, then there may be useful data in those log files. The intel
files only get generated when there is an intel 'hit', so if you loaded
intel files with IOCs that you may never see, you'll never see an intel.log
file. I normally ingest a "bad_things.intel" file that I manually add
non-bad things to just to make sure the intel framework is still
functioning, Like my corporate server address or security friends blackhole
servers. When i'm worried that the intel framework may be confused, I just
visit whatever is in the bad_things file and - viola - I get an intel.log
entry.

 

Note that the intel files have an exact syntax. I've been burned by 'vi'
changing the first tab in the 'fields' line to a space and the intel file
never loads. I'm pretty good at decoding 'od -c *.intel' output now. :(

 

Pat

 

From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of Richter,
Cody
Sent: Thursday, August 01, 2019 3:17 PM
To: zeek at zeek.org
Subject: [Zeek] Threat Intel Framework not generating intel.log

 

Hello there,

 

I have spent hours attempting to get the threat intel framework running on
Zeek, but still am having no luck. Despite following the tutorials to a T,
there is no intel.log generated with the rest of the log files. Running the
scripts against a generated pcap will create the intel.log file, but nothing
is being made in the logs folder as normal traffic passes through. All other
logs are generating, and I can't seem to find any issues.

 

Thank you,

Cody

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190808/6f8e63c2/attachment.html