[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] =?utf-8?b?5Zue5aSN77yaIEhlbHAgd2l0aCBpbnRlbCBmcmFtZXdvcms=?=
From: Lee Shiry <lee () shiry ! org>
Date: 2018-11-19 18:18:56
Message-ID: 2af53e49-aab5-f4ab-d55a-2f9e7a2fc871 () shiry ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Update:
I copied the script and dat file to another box and they seem to work
fine. I'm not sure why it is not working on the first box. It is not
logging any errors, and other things seem to work. I will try
recompiling and reinstalling.
The other problem is that I was not aware that the intel match had to be
an exact match. Does anyone know if it is possible to use a wildcard or
do a substring search with the intel match? I tried "*" as a wildcard,
that does not work.
Thanks for all the help!
On 11/19/18 1:09 AM, Zer0d0y wrote:
> Hi,
> This configuration works for me.
>
> # bro -v
> /opt/bro/bin/bro version 2.5-1001-debug
>
> 1.intel.bro
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
>
> redef Intel::read_files += {
> "/path/to/intel-bad-user-agents.dat"
> };
>
> 2.intel-bad-user-agents.dat
> #fieldsindicatorindicator_typemeta.do_noticemeta.source
> MozillaIntel::SOFTWARETHTTP::IN_USER_AGENT_HEADER
>
> 3.tcpdump -nnvv -i eth0 host "IP Address of google.com" and port 80 -w
> intel.pcap
>
> 4.curl -I -A "Mozilla" http://google.com
>
> 5.bro -C -r intel.pcap intel.bro
>
> ########################
> intel.log
>
> 1542606537.171248CkvxUu1MujtxrdxMgl192.168.8.258248192.168.8.180MozillaIntel::SOFTWAREHTTP::IN_USER_AGENT_HEADERbroIntel::SOFTWAREHTTP::IN_USER_AGENT_HEADER---
> #close2018-11-19-14-06-44
>
> ------------------
> --
> Zer0d0y
> Threat Detection & Hunting
>
> Zer0d0y@tianyulab.com
>
> 天御实验室 <https://github.com/tianyulab>
>
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "Lee Shiry"<lee@shiry.org>;
> *发送时间:* 2018年11 17日(星期六) 凌晨1:23
> *收件人:* "bro"<bro@bro.org>;
> *主题:* [Bro] Help with intel framework
>
> Hi,
>
> I am trying to use Bro's intel framework and can't seem to get it to
> generate anything in the intel or notice logs. I'm on version 2.5.5
> in cluster mode. Everything else seems to work fine. I see all the
> logs, and notices are working for other event types. I have checked to
> make sure the dat file has only tabs in it to separate fields. I
> don't see anything coming up in the stderr or reporter log files. I
> must be missing something. Any help is appreciated.
>
> Here is what I have added to local.bro:
>
> ##################
> @load frameworks/intel/seen
> @load frameworks/intel/do_notice
>
> redef Intel::read_files += {
> "/usr/local/intel-bad-user-agents.dat",
> };
> ##################
>
>
> Here is the dat file:
>
> ##################
> # cat /usr/local/intel-bad-user-agents.dat
> #fields indicator indicator_type \
> meta.do_notice meta.if_in 360Spider \
> Intel::SOFTWARE T HTTP::IN_USER_AGENT_HEADER \
> Mozilla Intel::SOFTWARE T \
> HTTP::IN_USER_AGENT_HEADER ##################
>
> (I temporarily put Mozilla in there to generate lots of events for
> testing purposes)
>
>
> Thanks,
> lms
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb18030">
</head>
<body text="#FFFFFF" bgcolor="#000000">
Update:<br>
<br>
I copied the script and dat file to another box and they seem to
work fine. I'm not sure why it is not working on the first box. It
is not logging any errors, and other things seem to work. I will
try recompiling and reinstalling.<br>
<br>
The other problem is that I was not aware that the intel match had
to be an exact match. Does anyone know if it is possible to use a
wildcard or do a substring search with the intel match? I tried "*"
as a wildcard, that does not work.<br>
<br>
Thanks for all the help!<br>
<br>
<br>
<div class="moz-cite-prefix">On 11/19/18 1:09 AM, Zer0d0y wrote:<br>
</div>
<blockquote type="cite"
cite="mid:tencent_4ADB2DA8480D9FE924047BAD9D8E25C97805@qq.com">
<meta http-equiv="content-type" content="text/html;
charset=gb18030">
<div>Hi,</div>
<div> This configuration works for me.</div>
<div><br>
</div>
<div># bro -v</div>
<div>/opt/bro/bin/bro version 2.5-1001-debug</div>
<div><br>
</div>
<div>1.intel.bro</div>
<div>
<div>@load frameworks/intel/seen</div>
<div>@load frameworks/intel/do_notice</div>
<div><br>
</div>
<div>redef Intel::read_files += {</div>
<div> "/path/to/<span style="white-space: \
pre-wrap;">intel-bad-user-agents.dat</span>"</div> <div>};</div>
</div>
<div><br>
</div>
<div>2.<span style="white-space: \
pre-wrap;">intel-bad-user-agents.dat</span></div> <div>
<div>#fields<span style="white-space:pre"> </span>indicator<span \
style="white-space:pre"> </span>indicator_type<span \
style="white-space:pre"> </span>meta.do_notice<span \
style="white-space:pre"> </span><font color="#ff0000">meta.source</font></div>
<div>Mozilla<span style="white-space:pre"> </span>Intel::SOFTWARE<span \
style="white-space:pre"> </span>T<span \
style="white-space:pre"> </span>HTTP::IN_USER_AGENT_HEADER</div> </div>
<div><br>
</div>
<div>3.tcpdump -nnvv -i eth0 host "IP Address of google.com" and
port 80 -w intel.pcap</div>
<div><br>
</div>
<div>4.curl -I -A "Mozilla" <a class="moz-txt-link-freetext" \
href="http://google.com">http://google.com</a></div> <div><br>
</div>
<div>5.bro -C -r intel.pcap intel.bro</div>
<div><br>
</div>
<div>########################</div>
<div>intel.log</div>
<div><br>
</div>
<div>
<div>1542606537.171248<span \
style="white-space:pre"> </span>CkvxUu1MujtxrdxMgl<span \
style="white-space:pre"> </span>192.168.8.2<span \
style="white-space:pre"> </span>58248<span \
style="white-space:pre"> </span>192.168.8.1<span \
style="white-space:pre"> </span>80<span style="white-space:pre"> </span>Mozilla<span \
style="white-space:pre"> </span>Intel::SOFTWARE<span \
style="white-space:pre"> </span>HTTP::IN_USER_AGENT_HEADER<span \
style="white-space:pre"> </span>bro<span \
style="white-space:pre"> </span>Intel::SOFTWARE<span \
style="white-space:pre"> </span>HTTP::IN_USER_AGENT_HEADER<span \
style="white-space:pre"> </span>-<span style="white-space:pre"> </span>-<span \
style="white-space:pre"> </span>-</div>
<div>#close<span style="white-space:pre"> </span>2018-11-19-14-06-44</div>
</div>
<div><br>
</div>
<div>
<div style="color:#909090;font-family:Arial
Narrow;font-size:12px">------------------</div>
<div style="font-size:14px;font-family:Verdana;color:#000;">
<div>
<div>-- </div>
<div>Zer0d0y</div>
<div>Threat Detection & Hunting</div>
<div><br>
</div>
<div><a class="moz-txt-link-abbreviated" \
href="mailto:Zer0d0y@tianyulab.com">Zer0d0y@tianyulab.com</a></div> <div><br>
</div>
<div><a href="https://github.com/tianyulab"
moz-do-not-send="true">天御实验室</a></div>
</div>
</div>
</div>
<div> </div>
<div>
<div><br>
</div>
<div><br>
</div>
<div style="font-size: 12px;font-family: Arial
Narrow;padding:2px 0 2px \
0;">------------------ 原始邮件 ------------------</div> <div \
style="font-size: 12px;background:#efefef;padding:8px;">
<div><b>发件人:</b> "Lee Shiry"<a class="moz-txt-link-rfc2396E" \
href="mailto:lee@shiry.org"><lee@shiry.org></a>;</div> \
<div><b>发送时间:</b> 2018年11 17日(星期六) 凌晨1:23</div>
<div><b>收件人:</b> "bro"<a class="moz-txt-link-rfc2396E" \
href="mailto:bro@bro.org"><bro@bro.org></a>;<wbr></div> \
<div><b>主题:</b> [Bro] Help with intel framework</div> </div>
<div><br>
</div>
Hi,<br>
<br>
I am trying to use Bro's intel framework and can't seem to get
it to generate anything in the intel or notice logs. I'm on
version 2.5.5 in cluster mode. Everything else seems to work
fine. I see all the logs, and notices are working for other
event types. I have checked to make sure the dat file has only
tabs in it to separate fields. I don't see anything coming up
in the stderr or reporter log files. I must be missing
something. Any help is appreciated.<br>
<br>
Here is what I have added to local.bro:<br>
<br>
##################<br>
@load frameworks/intel/seen<br>
@load frameworks/intel/do_notice<br>
<br>
redef Intel::read_files += {<br>
"/usr/local/intel-bad-user-agents.dat",<br>
};<br>
##################<br>
<br>
<br>
Here is the dat file:<br>
<br>
##################<br>
# cat /usr/local/intel-bad-user-agents.dat<br>
#fields indicator indicator_type \
meta.do_notice meta.if_in<br>
360Spider Intel::SOFTWARE T \
HTTP::IN_USER_AGENT_HEADER<br>
Mozilla Intel::SOFTWARE T \
HTTP::IN_USER_AGENT_HEADER<br> ##################<br>
<br>
(I temporarily put Mozilla in there to generate lots of events
for testing purposes)<br>
<br>
<br>
Thanks,<br>
lms<br>
</div>
</blockquote>
<br>
</body>
</html>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic