I want to use the framework of intelligence to detect malicious IP and Domain.
There is the bro’s script:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
redef Intel::read_files += {
fmt("%s/../data/block_list_domain.intel", @DIR),
fmt("%s/../data/block_list_ip.intel", @DIR),
};
}
And there are some intelligence data:
#fields indicator indicator_type meta.source
113.23.72.15 Intel::ADDR testip
189.174.159.120 Intel::ADDR testip
27.159.231.181 Intel::ADDR testip
119.254.102.90 Intel::ADDR testip
#fields indicator indicator_type meta.source
nudmmflaurbthpw.www.w88top.com Intel::DOMAIN testdomain
a.ns.igcdn.com Intel::DOMAIN testdomain
bttracker.crunchbanglinux.org Intel::DOMAIN testdomain
mail.yinpiao.com Intel::DOMAIN testdomain
And I set do_notice
to T
in do_notice.bro
.
It work fine in standalone type.
But there are not any data in notice.log or intel.log if I use the bro’s cluster.
And there is my node.cfg:
[manager]
type=manager
host=localhost
[proxy]
type=proxy
host=localhost
[worker]
type=worker
host=localhost
interface=em4
lb_method=pf_ring
lb_procs=8
pin_cpus=0,2,4,6,8,10,12,14
As you can see, all of the manager and the proxy and the workers are in one computer.
I have read the document about intelligence framework and the document said:“Remember, the files only need to be present on the file system of the manager node on cluster deployments.”
So I modify my bro script as follow:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
export {
@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
redef Intel::read_files += {
fmt("%s/…/data/block_list_domain.intel", @DIR),
fmt("%s/…/data/block_list_ip.intel", @DIR),
};
@endif
}
But it also can not work and have not notice.log or intel.log.
Could any one help me. Thanks very much.