I am new to Bro and I am learning to use the Intelligence framework. I followed the Bro Intel Framework Exercises which can be found in the following link.
For the first exercise, everything went well except that no "intel.log" file was generated. Does anyone know the reason and how to get it work?
Thanks a lot.
It sounds like it everything actually didn't go very well.
Could you give us some more information about what you did?
I tried it and encountered the same problem.
It seems that the pcap file got truncated somehow.
I still have a copy of the pcap file that was
originally distributed for these exercises and the
original file is much larger.
I've replaced the "exercise-traffic.pcap" file on the web site
with the original file, so the exercise should work now.
I run some interesting pcaps using Bro-2.3, but there are some HTTP sessions that Bro-2.3 cannot tackle properly.
For example, this pcap file from the malware-traffic-analysis.net. http://malware-traffic-analysis.net/2014/10/03/2014-10-03-Sweet-Orange-EK-traffic.pcap This is a exploit traffic and Bro cannot get ‘Resp_mime_types’ in the request to ‘epavers.com - contact with domain owner | Epik.com’.
As shown above Bro-2.3 parses the ‘Resp_mime_types’ as ‘-’. But in fact, when I use wireshark to parse this stream, the type is '‘application/x-shockwave-flash’.
In fact I have encountered this problem for quite several times, so I wonder why this happened and how to solve it !
Thanks a lot if anyone can answer my question!
What you're seeing there is what the server declared the content to be. Bro ignores that value and sniffs the content to try and identify it.
You have found a weakness in our shockwave detection fingerprint though. I'm going to be doing a commit into master soon that improves on our Flash detection (our signatures don't detect LZMA compressed flash files).