Issues with Intel::FILE_NAME not working.

William_Dieterich · July 9, 2019, 6:27pm

Using the Intel Framework I cannot get Intel::FILE_NAME to fire. It
is working with any other type so my script and read file is good.

I am loading the following scripts

Policy/frameworks/intel/seen
policy/frameworks/intel/do_notice
frameworks/file/hash-all-files.bro
base/frameworks/intel/files.bro

Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
there a better way?

I am taking filenames from both my files.log and http.log files so I
know the files exist. I am getting no errors in recorder.log and am
running from the command line and no errors are there. Any ideas on
what I am doing wrong?

Jan · July 10, 2019, 10:03am

Hi William,

the script seen/file-names.zeek [1] defines how file names are reported to the intel framework. To match, the indicator has to be identical to f$info$filename.

Jan

[1] https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek

Topic		Replies	Views
Intel::FILE_NAME and SMB_files behavior questions Zeek	5	77	May 6, 2022
Intel Framework and email alerts Zeek	3	51	May 6, 2022
Intel Framework Issues Zeek	3	68	May 6, 2022
Whitelist a file/hash Zeek	1	49	May 6, 2022
scripting a notice based on software framework Zeek	1	53	May 6, 2022

Issues with Intel::FILE_NAME not working.

Related Topics