I’m running Bro on a fairly new distributed security onion setup - we have 3 sensors running bro in our environment. We’re running bro version 2.4.1. I’ve been wanting to add Critical Stack’s intel agent into our stack, but wanted to test how the intel framework works before we set it all up. To test the framework, I added a test domain (www.reddit.com) and two test IP addresses to intel.dat. I also downloaded and formatted a list of known malicious domains using the instructions found here: pintumbler.org - Bro Agent for Sguil - Now supports Intel.log, and saved this file in $bropath/share/bro/intel/intel_domans.dat. To test this list, I appended an entry for www.linux.com. All these files are tab delimited. We’re having two large reliability issues with the intel framework:
1 - My rule for the reddit.com domain in intel.dat fires sporadically, and it seems like only for certain subnets / end users. I can not get that alert to trip for me by browsing to reddit.com, despite seeing these connections in http.log and conn.log. The rules for Intel::ADDR in intel.dat never fire, even though we do see connections to those addresses in conn.log. Where can I look for what may be causing this unreliable intel alerting? Obviously intel.dat is loaded correctly as reddit.com generates intel hits for *some* users. I haven’t done anything to whitelist IP’s or subnets from alerting (I don't even know where to do this).
2 - This could be the exact same problem as #1, but I don’t seem to be getting any alerts from my intel_domains.dat file that I created. I tested this by adding www.linux.com as an intel rule, and it could just be that none of my user base that seems to be capable of generating alerts is visiting linux.com. I want to verify that I loaded this new file correctly.
The attached text file contains redacted information from our bro logs. I have my IP, and other endpoints that either have or should be generating alerts, and our proxy IP defined at the top. The first section should demonstrate that my IP is not generating intel hits even though the logs are present, and that others are generating intel hits. The second section is evidence of the Intel::ADDR rules that fail to fire at all. The third section is the __load__.bro file which I assume is all I need to modify in order to load my new intel_domains.dat file, created following the link above.
Please let me know if any more specific information could help pinpoint this issue and I’d be happy to provide! I’m excited to use Bro to identify (potential) compromise and hunt for other interesting things in my environment, but don’t want to jump the gun and implement intel when it doesn’t seem to be working reliably for us.
Intel Issues - Redacted.txt (7.61 KB)