bro exchange 2013 intel exercises

Zeek
1

I’m trying to get the exercises from here going,

My intel.bro:
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice

redef Intel::read_files += {
fmt("%s/intel.dat", @DIR)
};

My intel.dat:
#fields indicator indicator_type meta.source
fetchback.com Intel::DOMAIN my_special_source

I’ve double checked the tab spacing it all looks fine, but every time I run this I receive this error:
bro -C -r exercise-traffic.pcap intel.bro
internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0
Aborted (core dumped)

I also installed Bro 2.2 from source to my local machine(mint 13) and get exactly the same error.
Any ideas?

And a follow up question for when I get this sorted:
If I have a txt file with a list of new-line separated IP’s(~1500) from malwaredomainlist.com, is this something the intel framework is suited for? Or should I just stick to Snort’s blacklist.rules or Suricata’s equivalent?

Scott

2

Haven’t run into your first question before, but to answer the second … yes, the Intel framework is suited for IP addresses. Can’t speak for Suricata, but Bro will natively find IP addresses in more places than Snort does.

-Josh

3

Can you check that there’s only a single tab character between values? In particular, if there is more than one tab between “fetchback.com” and “Intel::DOMAIN” I reproduce that error.

- Jon

4

Yep that was it, narrowed it down to an Emacs issue, If i hit the tab
key once there, it would add 2 tabs, not sure why though yet.

Thanks
Scott