Hi everyone,
I am new to Bro and I am learning to use the Intelligence framework. I followed the Bro Intel Framework Exercises which can be found in the following link.
https://www.bro.org/current/exercises/intel/index.html
For the first exercise, everything went well except that no "intel.log" file was generated. Does anyone know the reason and how to get it work?
Thanks a lot.
Wenyu
It sounds like it everything actually didn't go very well. 
Could you give us some more information about what you did?
.Seth
I tried it and encountered the same problem.
It seems that the pcap file got truncated somehow.
I still have a copy of the pcap file that was
originally distributed for these exercises and the
original file is much larger.
I've replaced the "exercise-traffic.pcap" file on the web site
with the original file, so the exercise should work now.
Hi Brolist,
I run some interesting pcaps using Bro-2.3, but there are some HTTP sessions that Bro-2.3 cannot tackle properly.
For example, this pcap file from the malware-traffic-analysis.net. http://malware-traffic-analysis.net/2014/10/03/2014-10-03-Sweet-Orange-EK-traffic.pcap This is a exploit traffic and Bro cannot get ‘Resp_mime_types’ in the request to ‘epavers.com - contact with domain owner | Epik.com’.
In fact I have encountered this problem for quite several times, so I wonder why this happened and how to solve it !
Thanks a lot if anyone can answer my question!
Yours,
Rui-Yuan
What you're seeing there is what the server declared the content to be. Bro ignores that value and sniffs the content to try and identify it.
You have found a weakness in our shockwave detection fingerprint though. I'm going to be doing a commit into master soon that improves on our Flash detection (our signatures don't detect LZMA compressed flash files).
.Seth
