broctl status peers 0 / critical stack is running?

Hi everybody,
I’m new in BRO and first of all I would say…thank you for the great product developed! It is such good and well done! Easy to use! I love it the integration with critical stack!

I have managed to set up and run BRO on my raspi and everything is ok. Just a couple of questions:

1-Can someone explain me the meaning of Peer column?

root@raspberrypi:~# broctl status
Getting process status …
Getting peer status …
Name Type Host Status Pid Peers Started
bro standalone localhost running 6695 0 23 Sep 08:55:03

2-How can I check if critical-stuck is “feeding” BRO?

Thanks!
Federico

The peer column is for when you operate Bro in cluster mode. It will show how many workers are connected to the manager and proxies. Since you are in stand-alone mode, this will not show any peers.

~Gary

Thanks Gary for the info! Are you able to provide me info about my second question as well?

2-How can I check if critical-stuck is “feeding” BRO?

Federico

I haven’t set up Critical Stack before, but my understanding is that if set up correctly you should be seeing an intel.log file being generated. There is an article over at Taosecurity that includes a link to a Google Doc with better details than I can provide. Link below:

http://taosecurity.blogspot.com/2015/01/try-critical-stack-intel-client.html

~Gary

I believe if it is working correctly you will find the file “master-public.bro.dat” inside the criticalstack install directory. The path to that file needs to be added to your load.bro in your /usr/local/bro/share/bro/intel/ directory. Then make sure you load the intel framework in your local.bro and you should be good to go.

Thanks to everyone for the answers.

So, the files are there

root@raspberrypi:/opt/critical-stack/frameworks/intel# tail master-public.bro.dat
177.78.208.98 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via intel.criticalstack.com F
8yhn3hlvcc.centade.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F
0rx.ru Intel::DOMAIN from http://hosts-file.net/pha.txt via intel.criticalstack.com F
5.167.64.14 Intel::ADDR from http://lists.blocklist.de/lists/all.txt via intel.criticalstack.com F
jjl2au.3v2b7sh2.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F
nl.secure-update-get.org Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F
sekaminerva.com Intel::DOMAIN from http://hosts-file.net/psh.txt via intel.criticalstack.com F
www.apple-sd-icloud.com Intel::DOMAIN from http://hosts-file.net/psh.txt via intel.criticalstack.com F
gracemi.com Intel::DOMAIN from http://hosts-file.net/emd.txt via intel.criticalstack.com F
bitminemart.com Intel::DOMAIN from http://hosts-file.net/fsa.txt via intel.criticalstack.com F

root@raspberrypi:/opt/critical-stack/frameworks/intel# more load.bro
@load ./feeds.bro

root@raspberrypi:/opt/critical-stack/frameworks/intel# more feeds.bro
@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
“/opt/critical-stack/frameworks/intel/master-public.bro.dat”
};

Then, I have the files under file under these directories (slightly different from what you suggested but it should be good anyway)

/opt/bro/share/bro/base/frameworks/intel
/opt/bro/share/bro/base/frameworks/intel/cluster.bro
/opt/bro/share/bro/base/frameworks/intel/input.bro
/opt/bro/share/bro/base/frameworks/intel/load.bro
/opt/bro/share/bro/base/frameworks/intel/main.bro
/opt/bro/share/bro/policy/frameworks/intel
/opt/bro/share/bro/policy/frameworks/intel/do_notice.bro
/opt/bro/share/bro/policy/frameworks/intel/seen
/opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/load.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/pubkey-hashes.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro
/opt/bro/share/bro/policy/frameworks/intel/seen/x509.bro
/opt/bro/share/bro/policy/integration/collective-intel
/opt/bro/share/bro/policy/integration/collective-intel/load.bro
/opt/bro/share/bro/policy/integration/collective-intel/main.bro

Can you please confirm if everything is right from your point of view/ I have tried to use Tor as indicated from the guide but I couldn’t see any intel.log file under BRO directory

Federico