Hi,
I am using a threat intelligence feed from a local installation of the Collective Intelligence Framework v2 and putting data into the Bro Intel framework.
andy@cif2:~$ cif --cc US --tags botnet -l 10 -c 85 -f bro > intel-2.dat
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
50.17.195.149 Intel::ADDR botnet|gozi 85 bambenekconsulting.com
echo -e “testmyids.com\tIntel::DOMAIN\tsuspicious\t85\tTester” >> intel-2.dat
Add the above for testing purposes so I can trigger an Intel alert to test everything is working.
This all works great and I can check my Kibana Bro intel dashboard for alerts.
The problem is that, CIF2 queries DNS servers for IP addresses for domains in the intel data - so I get a false positive showing my CIF2 server as the source.
I think the answer is to filter out my CIF2 server from Bro, but I’ve not managed to find an example I can follow anywhere. Any suggestions much appreciated.
Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
Blog.InfoSecMatters.net
You could stop CIF from doing the lookups if you wanted to (or not, depends on if you wan that data). Something like this (depending on how you are doing notices) should work:
const intel_server_whitelist = {10.10.10.10};
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Intel::Notice && n?$src && !(n$src in intel_server_whitelist ) )
{
add n$actions[Notice::ACTION_EMAIL];
}
}
Regards,
Derek
Thanks for the suggestion. I’m not using the notice though just the intel.log :
@load frameworks/intel/seen
redef Intel::read_files += {
“/usr/local/bro/share/bro/site/intel-2.dat”
};
Is there no way to simply apply a BPF filter to Bro?
Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA
Blog.InfoSecMatters.net
Here’s how I do it:
event bro_init() &priority=-12
{
restrict_filters["ignore"] = "not (net 10.0.0.1/24 or host 10.1.2.3)";
PacketFilter::install();
}
There’s probably other, possibly even better, ways to do it, but this works for me.
Mike
FWIW, there is the exclude function in the packet filter framework.
event bro_init()
{
PacketFilter::exclude(“ignore this stuff”, "net 10.0.0.1/24 or host 10.1.2.3”);
}
.Seth
Thanks, that’s really what I was looking for. I had seen the PacketFilter framework in the Bro documentation but when I look at the Bro docs it’s hard to figure out how to do stuff; I guess its me, I really need to find a good resource for learning the bro language.
Kind regards,
Andy
Andrew.Ratcliffe@NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP
Blog.InfoSecMatters.net
It’s not really you, lots of tutorials need to be written for various parts of Bro. 
.Seth