Does anyone have something they like to use to help create/edit Intel files in bulk? Im trying to find a way to quickly add a lot of domains to one of my Intel files and I really don’t want to have to added them individually.
Thanks,
Mike
Hi Mike,
maybe this script will help you: https://github.com/jonschipp/mal-dnssearch/blob/master/tools/mal-dns2bro.sh
It was mentioned here: http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html#id4
Regards,
Jan
If you read the below post by Paul Halliday - maintainer of Squert - You will find a one liner command to read a domain-per-line list of domains and convert them into Bro’s intel format. Not sure this fits your profile but it may help.
http://www.pintumbler.org/words/broagentforsguil-nowsupportsintellog
There is also a script on GitHub called bro-intel-generator which reads from PDF or HTML files, extracts domains, IP addresses, and hashes into bro intel format. Again this may not fit your profile, but it may help.
https://github.com/exp0se/bro-intel-generator
With the two examples above may be you can spin up your own script that fits your requirements.
MP
Thanks! These should get me started.
I usually wind up using sed, as long as the file has the domains listed one per line.
Something like:
sed ‘s/^([a-z].*.[a-z]{2,6})$/\1\tIntel::DOMAIN\tfeed info\tF/i’ indicators.intel
(use sed -i to save the changes to the file)