I am trying to use Bro’s intel framework and can’t seem to get it to generate anything in the intel or notice logs. I’m on version 2.5.5 in cluster mode. Everything else seems to work fine. I see all the logs, and notices are working for other event types. I have checked to make sure the dat file has only tabs in it to separate fields. I don’t see anything coming up in the stderr or reporter log files. I must be missing something. Any help is appreciated.
The most important thing is the format of that ".dat" file. If you do
not have tabs entered correctly, the files may not be loaded. Check
your "reporter.log" to see if there are any errors with the input of
your intel file.
Example error:
0.000000 Reporter::WARNING
/nsm/intel/custom.intel/Input::READER_ASCII: Field: meta.do_notice
Invalid value for boolean: meta.do_notice (empty)
And I misread you already did check reporter. Sorry for the noise. I
would get a pcap and test this offline with the intel framework to
make sure everything is working as it should.
I am not seeing any errors show up in the reporter.log or the stderr.log. I verified the tabs are there. I was wondering if I could get it to generate an error, so I intentionally misspelled the name of the dat file in the script, but it did not generate an error. Now I wonder if something else is preventing it from getting that far.
I took a pcap file and ran it standalone against the file. This time it complained that the requested field meta.source was missing. I don’t know why that was not showing up in the reporter or stderr logs. I added the field, and now there are no errors, but still no intel.log.
I have tried several things in offline mode. I am searching for “Firefox” in “Intel::IN_ANYWHERE”, and still no intel hits, even though “firefox” clealry shows up in the http.log in the user agent field.
I copied the script and dat file to another box and they seem to work fine.02 I’m not sure why it is not working on the first box.02 It is not logging any errors, and other things seem to work.02 I will try recompiling and reinstalling.
The other problem is that I was not aware that the intel match had to be an exact match.02 Does anyone know if it is possible to use a wildcard or do a substring search with the intel match?02 I tried “*” as a wildcard, that does not work.