I followed the examples step by step and I cannot get bro to like the text file or dat file from the documentation. I get errors in the reporter.log about not being able to find the requested field indicator.
The other error is "headers are incorrect". Any help would be appreciated. Thanks!
It's helpful to post exactly why errors you're seeing and exactly how you're configuring and running Bro (i.e., send the exact errors and send an example of something you can provide Bro to reproduce the error.
Thanks,
.Seth
Also - check if the header fields are separated by tab characters and not by spaces.
That might be the problem.
Johanna
Reporter.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#open 2013-11-23-08-28-18
#fields ts level message location
#types time enum string string
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Did not find requested field indicator in input data file /etc/bro/spool$
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init: cannot open /etc/bro/spool/installed-scripts-do-not-touch/site/int$
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: Init failed (empty)
1385213298.936827 Reporter::ERROR /etc/bro/spool/installed-scripts-do-not-touch/site/intel1.txt/Input::READER_ASCII: terminating thread (empty)
/etc/bro/share/bro/site/intel.txt
#fields indicator indicator_type meta.source
instagram.com Intel::DOMAIN my_special_source
local.bro
@load intel1.bro
intel1.bro
@load frameworks/intel/seen
redef Intel::read_files += {
fmt("%s/intel1.txt", @DIR)
};
Just to check - are you a hundred percent sure that the first line of your
intel.txt file looks like…
#fields[tab]indicator[tab]indicator_type[tab]mata.source
Without any other characters in between, especially not using spaces
instead of tab?
From the paste in your mail we are unable to tell if that is the case, but
the error message really sounds like there is some kind of problem with
that line in the input file.
Johanna
You guys had it. I went back in and redid the entire line with just tabs. I believe I had it this way but just to be certain I redid the entire file. Something must have through it off or was lingering in the original file. You guys are the best!