Quick question when implementing the Intel Framework based on this post:
http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
Do you need to restart & reinstall BRO for it to grab a new feed? I am going to script up a weekly cif reload and want to make sure.
Thanks
- Tom
- "Life is too short to spend time with people who suck the happy out of you."
The way I understand it, when new items are added to the files you include in the Intel Framework, they are picked up and then in use. However, to remove items requires a Bro restart. Someone please correct me if that is not accurate.
FWIW, I have the CIF client on my Bro boxes pulling daily and I am contemplating a weekly restart to dump anything no longer included in the confidence level of the feed.
Regards,
Derek
That is correct. Explained here and elsewhere in the Bro documentation:
http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html
You sure about that?
Input::REREAD will add/remove items as needed, but the Input::STREAM
mode is append only.
http://bro.org/sphinx/frameworks/input.html#re-reading-and-streaming-data
I’m not so certain anymore 
It looks like you’re right [1] that the mode is set to REREAD [1].
Though, I’m pretty sure that I’ve read in the documentation that a restart is required for the removal of items.
Maybe that was a mistake. Oh well.
You are right about that. Even though reread supports the removal of items,
the current way in which it is used in the intelligence framework does not seem to.
I have to ask Seth why that is the case - it should be easy to change this.
Johanna
Thanks all for the feedback. But now I have run into another issue with generating the CIF feed with the -p bro plugin. The feed generate as the attached links feed did.
From the test feed that was in the supplied link:
#fields indicator indicator_type meta.source meta.desc meta.url meta.cif_impact meta.cif_severity meta.cif_confidence
When I generated my own feed it came back as this.
#fields host net str str_type meta.source meta.desc meta.url meta.cif_impact meta.cif_severity meta.cif_confidence
The attached link(In current thread) feed works and generates the intel.log file, but the one I generate does not generate a log entry. Is there something else in BRO that I need to do for the feed to work properly? If someone could point me in the right direction, I would much appreciate it!
Tom
Update.
Well in looking at the DOC on the BRO site. I must have a different version of CIF causing the BRO plugin to format my feed differently.
Tom
Check out a post I made on this on the CIF user group, it should point you in the right direction.
Regards,
Derek
If you don’t want to upgrade, you can replace that Bro.pm file with this newer one:
https://github.com/csirtgadgets/iodef-pb-simple-perl/blob/master/lib/Iodef/Pb/Format/Bro.pm
Thanks all for assistance. The deal was my CIF instance was down a couple levels and the bro plugin was not quite right. Once I updated everything all was good.
In the process now, with some of Derek’s guidance, to tweak my local.bro and add some more good stuff.
Thanks again!
Tom
Thanks all for who responded.
Just to update everyone on this. When they say RTFM, this the case for me. I tried to fumble my way through all this and I should have just sat back and read some good posts and documentation. The following two links really points you in the right direction.
#1
http://www.bro.org/bro-exchange-2013/exercises/intel.html
This exercise says it all and makes it very easy to understand. The CIF integration is also pretty easy with this post.
#2
http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
Pretty darn nice implementation for pulling external Intel as well as defining your own.
Love BRO, Its wicked!
Tom