Issues with Intel::FILE_NAME not working.

William_Dieterich · July 9, 2019, 6:27pm

Using the Intel Framework I cannot get Intel::FILE_NAME to fire. It
is working with any other type so my script and read file is good.

I am loading the following scripts

Policy/frameworks/intel/seen
policy/frameworks/intel/do_notice
frameworks/file/hash-all-files.bro
base/frameworks/intel/files.bro

Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
there a better way?

I am taking filenames from both my files.log and http.log files so I
know the files exist. I am getting no errors in recorder.log and am
running from the command line and no errors are there. Any ideas on
what I am doing wrong?

Jan · July 10, 2019, 10:03am

Hi William,

the script seen/file-names.zeek [1] defines how file names are reported to the intel framework. To match, the indicator has to be identical to f$info$filename.

Jan

[1] https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek

Topic		Replies	Views
threat intel questions Zeek	5	116	May 6, 2022
Zeek - Usecase based File Extraction Zeek	3	98	May 6, 2022
Unable to generate Intel log Zeek	3	220	May 6, 2022
Detecting md5 Zeek	2	95	May 6, 2022
Trying to get a simple detection on certificate hashes to fire Zeek	3	89	May 6, 2022

Issues with Intel::FILE_NAME not working.

Related Topics