Hi all ,
I am facing an issue when trying to get BRO intel working . The matter is that I cannot get meta data from Intel::MetaData.
The Bro intelligence itself is working fine. Here is my intel.dat file:
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
honargah.ir/images/sampledata/2013gdoc Intel::URL phishing 85 phishtank.com
and intel.log output:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2015-01-22-09-36-43
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where sources
#types time string addr port addr port string string string string enum enum set[string]
1421919403.137259 Cz3Nvm4BHmAtqNxKHa 10.3.2.2 63982 142.4.119.66 80 - – buy-pokerist-chips.com/wealth/t/ Intel::URL HTTP::IN_URL phishtank.com
So as you can see there are any meta data fields on intel.log output.
Please shed some light on this , Where should I look for troubleshooting ?
I have these scripts loaded :
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load policy/integration/collective-intel
Sorry about that. When I designed the intel framework, I ran into a few conceptual issues that I just offset to a later date. I have done some work to address the shortcoming and I’m hoping to get it merged back in for the 2.4 release. I’ll give some guidance now if you’d like to work with it today…
Clone this repository into your site/ directory…
cd <prefix>/share/bro/site/
git clone https://github.com/sethhall/intel-ext.git intel-ext
Add the “intel-ext” module to your local.bro…
echo “@load intel-ext” >> local.bro
Write and load a script that looks like this…
====script=====
redef record Intel::Info += {
descriptions: set[string] &optional &log;
};
event Intel::extend_match(info: Intel::Info, s: Intel::Seen, items: set[Intel::Item]) &priority=0
{
for ( item in items )
{
if ( ! info?$descriptions )
info$descriptions = set();
add info$descriptions[item$meta$desc];
}
}
====end script====
This will add descriptions from all of your intel in a log named intel-ext.log. Let me know if it works for you.
.Seth
Thank you for writing me back . I have just tried your suggestion however still no luck. Here what I have done :
My intel data file looks like:
#fields indicator indicator_type meta.desc meta.cif_confidence meta.source
summitcpas.com/process/mbb/m2uAccountUpdate/M2ULoginsdo.html Intel::URL phishing 85 phishtank.com
Actually, meta.desc is there (so is meta.source). The descriptions were all that I added with my script. If you want more information added you will have to add it in your custom script. My example should make it easy for you.
.Seth
Tons of thanks, get it working .