Hello.
I am running Bro 2.2 from RPM downloaded from Bro.org and recently got interested in enabling the Intel Framework when I watched Liam Randalls talk : https://www.youtube.com/watch?v=8XqiQuy7nFQ
I have downloaded mal-dnssearch and mal-dns2bro scripts and have downloaded all of the feeds to /opt/bro/feeds and enabled the intel framework in /opt/bro/share/bro/site/local.bro:

Load the Intel Framework to be used with mal-dnssearch for

Threat Intelligence data analysis and correlation

http://www.bro.org/sphinx-git/frameworks/intel.html

http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html

Did you put the configuration into effect? e.g. ``broctl check && broctl install && broctl restart’’

Also, what’s the output of ``tail -1 alienvault.intel | hexdump -c’’?

Hi,
Thanks that works now!

I “forgot” the broctl install command and have just restarted bro hoping it would pick up the config changes…

Is there any way of getting anither variable from the intel file and using it as some kind of tpe/classifier? In the Alienvault example the IP-address comes with a type like “Scanning host”, “Malware domain” etc.

How can I use thst field in the Intel file so that I know what kind of threat it is?

Best regards,

Kim Halavakoski
kim@blackcatsec.net

Sent from my mobile device, excuse my clawfingerness!