threat intel questions

Hello!

I have several questions about the threat intel:

Is there a way to add meta.url and meta.desc to intel.log?

For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in local.bro?

Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and authentihash?

Will Intel::CERT_HASH detect MD5 or SHA256?

Will the intel frame detect part of part a URL or does only the full URL?

Will “@domain.com” work in the Intel::EMAIL, or is it best to just remove the “@” and add it to Intel::Domain?

Does meta.do_notice have to be set to T for an event to get logged into intel.log?

Thank you for the help.

Is there a way to add meta.url and meta.desc to intel.log?

In theory there is but you have to keep in mind that multiple meta data records might be associated with a single indicator that matched. This is also why the sources field in intel.log is a set. See the following blog post for more details: https://blog.zeek.org/2016/12/the-intelligence-framework-update.html

For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
local.bro?

Scripts in base/ should be loaded by default. If you don't see hits on file names try to spot them in files.log first.

Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
authentihash?

Will Intel::CERT_HASH detect MD5 or SHA256?

Will the intel frame detect part of part a URL or does only the full URL?

Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove
the "@" and add it to Intel::Domain?

To understand how the different indicators work just have a look at the corresponding seen scripts: https://github.com/zeek/zeek/tree/master/scripts/policy/frameworks/intel/seen

For example in case of Intel::FILE_HASH the file_hash event is used, which is triggered "each time file analysis generates a digest".

Does meta.do_notice have to be set to T for an event to get logged into
intel.log?

No. Setting do_notice to T will cause a notice to be generated. More info on notices can be found here: Notice Framework — Book of Zeek (v6.1.0)

Jan

Thank you, Jan.

I’m unable to to get any threat intel events. The specific feed file was added in local.bro and the policy was redeployed. The intel.log is not being generated.

Is there a verbose debugging or warning when the policy is deployed to check for errors?

What is the best way to test the threat intel framework and events?

If the syntax of the feed.txt is bad will it cause the no events in intel.log?

Will unicode characters (non-ASCII) in the feed.txt cause an error or break the threat intel framework?

Will multi-line values in the source, desc, or url cause the threat intel framework to not work?

Thank you in advance for the help!!!

Format of the Intel files is critical, there should be errors in the reporter.log on startup if there are any issues with the formatting of the file. Most important issue is tab separated fields in your Intel files, next being that you have all of the necessary fields.

Thank you Michael.

One last weird question, is there a way to have threat intel events with a different source (or a different threat intel file altogether) write out to another log - like to the feed2.txt file would write to intel2.log?