Intel.log wrong format

Zeek
1

Good morning guys,

I’m using the INTEL bro framework successfully. I’m having a hard time to understand why inside my intel.log file, the information “Intel::ADDR” is showing twice. In identified by the fields “seen.indicator_type” and “matched sources”.

Which seems wrong, in my understanding matched sources should’ve been identified by the text “Bad Reputation Domain”, which is actually end up being identified as the field “fuid”.

A log sample is below:

root@BroTest:~# zcat /usr/local/bro/logs/2017-01-23/intel.13:00:00-14:00:00.log.gz
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path intel
#open 2017-01-23-13-01-54
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
1485194513.356126 CVmspB2e68PB5ZiXU5 192.168.1.3 47712 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485194630.876093 CT0uqm4aoaPeGA2RU4 192.168.1.3 47714 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485194636.036057 CbG2JX2YHPJXciEb59 192.168.1.3 47716 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485194640.586000 CCEoOs3ka9x4Qeqo7f 192.168.1.3 47718 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485195059.276054 CyJZA6iIJMyaC6QL8 192.168.1.100 41913 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485195061.556121 Cogijk3k5VH5Oxp9o9 192.168.1.3 47720 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485195102.716131 CYGoic29UuEmw9iO5 192.168.1.3 47722 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -
1485195327.906063 CinQa13NxfIZEwyg73 192.168.1.3 47724 XXX.XXX.XXX.XXX 80 XXX.XXX.XXX.XXX Intel::ADDR Conn::IN_RESP bro Intel::ADDR Bad Reputation Domain - - -

Any help would be very useful! Thank you

2

The log is fine, I think you're just looking at the wrong columns. Try piping the log file to this alias, and you'll see that the fields line up the way they are supposed to.

alias bro-column="sed \"s/fields.//;s/types.//\" | column -s $'\t' -t"

3

Hi Rodrigo,

I'm using the INTEL bro framework successfully. I'm having a hard time to
understand why inside my intel.log file, the information "Intel::ADDR" is
showing twice. In identified by the fields "seen.indicator_type" and
"matched sources".

nice to hear that the intel framework is useful to you. As Justin
already pointed out, "matched" and "sources" are two different fields.

The fields "seen.indicator_type" and "matched" have a slightly different
meaning. For example if you specify a subnet in your intel file and you
see a connection to an IP inside this subnet, "seen.indicator_type" will
be Intel::ADDR while "matched" will be Intel::SUBNET. For more details
about the data model the blog post about the intelligence framework
update might be interesting:
http://blog.bro.org/2016/12/the-intelligence-framework-update.html

I hope this helps,
Jan