Hi,
I am using bro intel , INTEL::URL as below format
#fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in meta.whitelist
hardcomng.com/doc/Main/ Intel::URL cybercrime-url - T - -
hardcomng.com/diamond/ Intel::URL cybercrime-url - T - -
hardcomng.com/doc/Formgrab/ Intel::URL cybercrime-url - T - -
hardcomng.com/panel/login/ Intel::URL cybercrime-url - T - -
name.xcution.pw/ Intel::URL cybercrime-url - T - -
melatidanes.com/m3l4t1DANES/asset/js/connect/login.php Intel::URL cybercrime-url - T - -
forwarderindia.cf/dollarspanel/login.php Intel::URL cybercrime-url - T - -
nobles-iq.com/WebPanel/login.php Intel::URL cybercrime-url - T - -
but i am facing one problem in intel log seen.indicator is showing blank
“seen.indicator”:"" this place url need to came
is my format is wrong ? i am using mal-dns2bro.sh script for formatting
Regards,
Sunu
What does your full intel.log line look like? I'm not sure how indicator could be blank, as that's what triggers the log event in the first place.
{“ts”:1529049750.133943,“uid”:“CHZHCR1m2zAzOqJer7”,“id.orig_h”:“10.10.49.11”,“id.orig_p”:5345,“id.resp_h”:“149.96.16.51”,“id.resp_p”:25,“seen.indicator”:"",“seen.indicator_type”:“Intel::URL”,“seen.where”:“SMTP::IN_MESSAGE”,“seen.node”:“worker-1-4”,“matched”:[“Intel::URL”],“sources”:[“cybercrime-url”]}
we are creating from
wget -N http://cybercrime-tracker.net/all.php
./mal-dns2bro.sh -T url -f all.php -s cybercrime-url -n true > cybercrime_url.intel
I think I figured out what is happening here. Are any of the indicators in your .intel file blank?
find_urls and find_all_urls_without_scheme consider http:// or even xxx:// a link, and find_all_urls_without_scheme turns that into just "":
event bro_init()
{
local s = "hello xxx://";
local urls = find_all_urls_without_scheme(s);
for ( url in urls ) {
print fmt("Got [%s]", url);
}
}
outputs:
Got []
so if your .intel file has any empty urls and bro sees a link like http://, i'll do what you are seeing.
thanks justin , for helping , the intel file have one blank space intel