I’m still pretty new BRO and have a couple questions about the Intel framework and how to use/leverage it. I’ve looked through the docs and have it loaded in local.bro file. I don’t see an intel.log in my current or my BRO archive logs (previous dates) directories. Correct to assume this means that there have been no hits to the Intel framework?
Secondly, is the Input framework the correct way to scan against intel data I have internally or obtain from other sources? If so, do these text files need to be formatted a certain way like the pre-formatted feeds mentioned in the docs (mal-dns2bro and CIF)?
Really appreciate the help…Thanks!
I had the same problem when I started using the Intel Framework and in my case it was a simple case of forgetting to install the configurations. Try running the following commands with broctl:
"broctl check && broctl install && broctl restart”
Run those and see if you get any hits when connecting to some known BAD IP-address from the lists you use, the intel.log should be created by Bro if there is match between the seen traffic and your Intel-feeds.
You can easily match against your own data, just remember to format the data with tab-separated values, just as outlined in http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html :
Sample file output:
#fields indicator indicator_type meta.source meta.url meta.do_notice meta.if_in
advanbusiness.com Intel::DOMAIN mandiant - F -
aoldaily.com Intel::DOMAIN mandiant - F -
aolon1ine.com Intel::DOMAIN mandiant - F -
applesoftupdate.com Intel::DOMAIN mandiant - F -
In the example above, mal-dns2bro reads in the mandiant list from stdin and sets the indicator type (``-T'') to DNS because the mandiant list consists of only DNS names. The source (``-s'') field is also set which is a short description of where the intelligence data came from.
mal-dns2bro will add the necessary tab separated columns for the Intel Framework. It accepts a list of a specific indicator type, but supports all of them, with one entry per line. It can read from stdin or from a file (``-f''). If you don't want to use mal-dnssearch, you can create your own lists with a text editor or other program and have mal-dns2bro format them for Bro.