Help with intel framework

Zeek
1

Hey,

Just a quick check, Bro won’t generate the intel.log if it’s unable to load the intel input file to read from.
was looking at your intel file re-definition:

redef Intel::read_files += {
“/usr/local/intel-bad-user-agents.dat”,
};

Can you remove the trailing “,” after “/usr/local/intel-bad-user-agents.dat” line and see if it works.
I am not sure if that line should be ended with a comma.

Also,can you try with an “Intel::ADDR” type just to check if it’s getting triggered?
You can add any IP that you can test with Intel::ADDR and see if that works.

Fatema

2

I removed the comma, and added a line in the dat file using Intel::ADDR, still no intel.log.

3

I made a tracefile, and can see in there that it reads the dat file:

cat tracefile.log |grep Input

0.000000 /usr/local/bro/share/bro/base/frameworks/input/./main.bro:263 function called: Input::add_event(description = '[source=/usr/local/intel-bad-user-agents.dat, reader=Input::READER_ASCII, mode=Input::REREAD, name=intel-/usr/local/intel-bad-user-agents.dat, fields=, want_record=T, ev=Intel::read_entry
0.000000 /usr/local/bro/share/bro/base/frameworks/input/./main.bro:263 Builtin Function called: Input::__create_event_stream(description = '[source=/usr/local/intel-bad-user-agents.dat, reader=Input::READER_ASCII, mode=Input::REREAD, name=intel-/usr/local/intel-bad-user-agents.dat, fields=, want_record=T, ev=Intel::read_entry
0.000000 /usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17 event called: Intel::read_entry(desc = ‘[source=/usr/local/intel-bad-user-agents.dat, reader=Input::READER_ASCII, mode=Input::REREAD, name=intel-/usr/local/intel-bad-user-agents.dat, fields=, want_record=T, ev=Intel::read_entry
}]’, tpe = ‘Input::EVENT_NEW’, item = ‘[indicator=360Spider, indicator_type=Intel::SOFTWARE, meta=[source=mysource, desc=, url=, do_notice=F, if_in=]]’)
0.000000 /usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17 event called: Intel::read_entry(desc = ‘[source=/usr/local/intel-bad-user-agents.dat, reader=Input::READER_ASCII, mode=Input::REREAD, name=intel-/usr/local/intel-bad-user-agents.dat, fields=, want_record=T, ev=Intel::read_entry
}]’, tpe = ‘Input::EVENT_NEW’, item = ‘[indicator=Firefox, indicator_type=Intel::SOFTWARE, meta=[source=mysource, desc=, url=, do_notice=F, if_in=]]’)
0.000000 /usr/local/bro/share/bro/base/frameworks/intel/./input.bro:17 event called: Intel::read_entry(desc = ‘[source=/usr/local/intel-bad-user-agents.dat, reader=Input::READER_ASCII, mode=Input::REREAD, name=intel-/usr/local/intel-bad-user-agents.dat, fields=, want_record=T, ev=Intel::read_entry
}]’, tpe = ‘Input::EVENT_NEW’, item = ‘[indicator=192.168.89.130, indicator_type=Intel::ADDR, meta=[source=mysource, desc=, url=, do_notice=F, if_in=]]’)
0.000000 /usr/local/bro/share/bro/base/frameworks/input/./main.bro:248 event called: Input::end_of_data(name = ‘intel-/usr/local/intel-bad-user-agents.dat’, source = ‘/usr/local/intel-bad-user-agents.dat’)