bro 2.5 . How to get meta fields on intel.log

Giedrius_Ramas · February 23, 2017, 12:18pm

Hi ,

How can we get working those bro extensions for Bro 2.4 on Bro 2.5
Currently I get errors:

error in /opt/bro/share/bro/base/frameworks/intel/./main.bro, line 155: already defined (Intel::extend_match)
internal warning in /opt/bro/share/bro/my_scripts/intel-ext/./scripts/main.bro, line 20: Duplicate identifier documentation: Intel::extend_match
proxy scripts failed.
error in /opt/bro/share/bro/base/frameworks/intel/./main.bro, line 155: already defined (Intel::extend_match)
internal warning in /opt/bro/share/bro/my_scripts/intel-ext/./scripts/main.bro, line 20: Duplicate identifier documentation: Intel::extend_match
ids-nksc004-eth1-1 scripts failed.
error in /opt/bro/share/bro/base/frameworks/intel/./main.bro, line 155: already defined (Intel::extend_match)
internal warning in /opt/bro/share/bro/my_scripts/intel-ext/./scripts/main.bro, line 20: Duplicate identifier documentation: Intel::extend_match

Our intel data have following format :

#fields indicator indicator_type meta.desc meta.cif_confidence meta.source

And we need to have these meta’s: meta.desc, meta.cif_confidence, meta.source on bro.intel log as previously had with bro extensions for Bro 2.4 found on https://github.com/sethhall/intel-ext

.

Or question is how to get meta fields on bro intel.log.?

Jan · February 23, 2017, 1:12pm

Hi,

How can we get working those bro extensions for Bro 2.4 on Bro 2.5
Currently I get errors:
...
line 20: Duplicate identifier documentation: Intel::extend_match

the intel framework has been reworked for 2.5 and includes a similar
extension mechanism (a hook instead of an event). The following blog
entry goes into details:
http://blog.bro.org/2016/12/the-intelligence-framework-update.html

Or question is how to get meta fields on bro intel.log.?

You can use the extension mechanisms included but keep in mind that each
hit might be associated with multiple indicators and each indicator
might be associated with multiple meta data records.

Jan

Giedrius_Ramas · February 23, 2017, 2:34pm

Thanks, Jan
Got it working .

Seth_Hall3 · February 23, 2017, 2:40pm

Sorry about the confusion. I'll put a note on that repository that the feature is now built into Bro and point to Jan's blog post.

.Seth

Topic		Replies	Views
bro 2.5 . How to get meta fields on intel.log Zeek	1	71	May 6, 2022
Add information to intel.log Zeek	2	71	May 6, 2022
Help with intel framework Zeek	8	79	May 6, 2022
Intel.log wrong format Zeek	3	76	May 6, 2022
Add information to intel.log (Vito Logrillo) Zeek	1	53	May 6, 2022

bro 2.5 . How to get meta fields on intel.log

Related Topics