2.5 Intelligence Framework

I’m trying to familiarize myself with the updates/changes to the 2.5 intel framework, as well as start leveraging it to greater use. I’ve come across a couple of issues I’m not quite clear how to solve yet:

  1. Is there a way to expire intel inputs from one input source, but not another?

For example I have tor data as an input source, and I’d like to set this up to update several times a day, and expiry would be a wonderful option for this data to keep it as accurate as possible. I also have some somewhat static input data that may won’t be update regularly via cron, which I’d doesn’t really need expiry at all, save for manual update to this particular intel file.

  1. Is there a way to only send data to the notice framework from particular sources? Or perhaps this is an issue of suppressing certain emails from the notice framework?

For example, I want to log my Tor hits in intel.log, and I don’t really mind if they show up in notice.log either, but I don’t want to get emails every time I log a Tor node hit. I’d like to reserve emails sent from the notice framework to those from particular data sources which aren’t Tor hits, or of my choosing.

Respectfully,

-Erin Shelton

Program Manager: Incident Response and Network Security
Office of Information Technology
University of Colorado Boulder

Hi Erin,

I'm trying to familiarize myself with the updates/changes to the 2.5 intel
framework, as well as start leveraging it to greater use. I've come across
a couple of issues I'm not quite clear how to solve yet:

I have written a blog post that was intended to be published on the Bro
Blog but somehow that was forgotten. You can find my draft for the post
here: https://gist.github.com/J-Gras/3ff4d5308a69e91fb61c65c12ecb818c
The post should help to understand the intelligence framework and the
recent updates.

1) Is there a way to expire intel inputs from one input source, but not
another?

Actually my intention was to allow individual expiration for
intelligence items in the first place. Due to implementation
considerations, there is no "native support" for that feature in the
framework but the design allows to realize this feature. There is a
script (see https://github.com/J-Gras/intel-extensions) that implements
per item expiration. I think it is also mentioned in the blog post. The
script is not well tested and I haven't registered the packet, yet. In
principle it allows to specify expiration for every item using
"meta.expire". Thus you should be able to chose different timeouts for
different sources.

2) Is there a way to only send data to the notice framework from particular
sources? Or perhaps this is an issue of suppressing certain emails from the
notice framework?

Exactly. Although you should be able to suppress notices based on the
mail_ext vector (see
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/do_notice.bro#L66),
that would be somehow hacky. Maybe it would be better to write your own
version of the do_notice script, which allows suppression by source.

I hope this helps,
Jan