I have spent hours attempting to get the threat intel framework running on Zeek, but still am having no luck. Despite following the tutorials to a T, there is no intel.log generated with the rest of the log files. Running the scripts against a generated pcap will create the intel.log file, but nothing is being made in the logs folder as normal traffic passes through. All other logs are generating, and I can’t seem to find any issues.
You may already have done this stuff, but from my adventures with the intel framework…
The reporter.log and the stderr.log spit out error messages when the intel framework loads/changes/etc. If you’re sure that you’re loading all three intel scripts, then there may be useful data in those log files. The intel files only get generated when there is an intel ‘hit’, so if you loaded intel files with IOCs that you may never see, you’ll never see an intel.log file. I normally ingest a “bad_things.intel” file that I manually add non-bad things to just to make sure the intel framework is still functioning, Like my corporate server address or security friends blackhole servers. When i’m worried that the intel framework may be confused, I just visit whatever is in the bad_things file and – viola – I get an intel.log entry.
Note that the intel files have an exact syntax. I’ve been burned by ‘vi’ changing the first tab in the ‘fields’ line to a space and the intel file never loads. I’m pretty good at decoding ‘od -c *.intel’ output now. L