Hi,
i need to generate intel log content into separate logs , i generated except one field
i am not able to get “source” field into separate log, any idea tp do this
my main file
@load frameworks/intel/seen
redef Intel::read_files += {
fmt("%s/intel-1.dat", @DIR)
};
@load ./field.bro
#redef LogAscii::use_json=T;
event Intel::log_intel (rec: Intel::Info)
{
Log::create_stream(Factor::LOG, [$columns=Factor::Info, $path=“intel_trigger”]);
if ( rec$seen$where == HTTP::IN_HOST_HEADER )
{
print “ssss”,rec$seen;
Log::write(Match::LOG,[$ts=network_time(),$uid=rec$seen$uid,$id=rec$seen$conn$id,$seen_indicator=rec$seen$indicator,$seen_indicator_type=rec$seen$indicator_type,$seen_where=rec$seen$where,$seen_node=rec$seen$node,$matched=rec$seen$indicator_type ]);
print “ssssssss”,rec$seen;
}
}
event bro_init ()
{
Log::create_stream(Match::LOG, [$columns=Match::Info, $path=“intel_tech”]);
}
field.bro
module Match;
export {
Append the value LOG to the Log::ID enumerable.
redef enum Log::ID += { LOG };
type Type: enum {
An IP address.
ADDR,
A complete URL without the prefix "http://".
URL,
Software name.
SOFTWARE,
Email address.
EMAIL,
DNS domain name.
DOMAIN,
A user name.
USER_NAME,
File hash which is non-hash type specific. It’s up to the
user to query for any relevant hash types.
FILE_HASH,
File name. Typically with protocols with definite
indications of a file name.
FILE_NAME,
Certificate SHA-1 hash.
CERT_HASH,
Public key MD5 hash. (SSH server host keys are a good example.)
PUBKEY_HASH,
};
type Where: enum {
A catchall value to represent data of unknown provenance.
IN_ANYWHERE,
};
Define a new type called Factor::Info.
type Info: record {
ts: time &log;
uid : string &log;
id: conn_id &log;
seen_indicator: string &log;
seen_indicator_type: Type &log &optional;
seen_where : Where &log;
seen_node : string &log;
matched:Type &log &optional;
};
}
i need intel-1.dat file
www.reddit.com Intel::DOMAIN my_special_source -->> into source field