Warning of "did not find requested field indicator" from intelligence data file

Zeek
1

Hi,

According to instruction of intelligence framework, i wrote a intelligence framework text file myintel.txt which content is:

#fields indicator indicator_type meta.source meta.desc meta.url
14.215.177.39 Intel::ADDR baidu use baidu search -

Very simple. I also wrote a simple bro script file mytest.bro which content is:

@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
redef Intel::read_files += { “./myintel.txt” };

when i run this script with command “./bro -i eth3 mytest” on a shell terminal and run “ping 14.215.177.39” command on another shell terminal, i got the following warning and :

warning: ./myintel.txt/Input::READER_ASCII: Did not find requested field indicator in input data file ./myintel.txt.

It seems that there is no error with the myintel.txt file, then what happened leads to this warning.

Best Regards

2

On 27/08/18 10:10, wangdj@ffcs.cn wrote:> when i run this script with command "./bro -i eth3 mytest" on a shell terminal and run "ping 14.215.177.39" command on another shell terminal, i got the following warning and :

warning: ./myintel.txt/Input::READER_ASCII: Did not find requested field indicator in input data file ./myintel.txt.

Keep in mind that the header has to be tab-separated. Furthermore, the default seen scripts report only IPs of established TCP connections (see https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/conn-established.bro).

Jan

3

Hi Jan,

Thanks for your reply.
The header in myintel.txt file is tab-separated. I will check the the second reason you told.

Best Regards

4

Hi,

When i read the document of “Bro Cluster Architecture”(link: https://www.bro.org/sphinx/cluster/index.html)) , i cannot understand the following sentence.

“The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows, or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers.”
Does this sentence means worker`s BPF filter can retransmit packets to other switch?
If it can not, what the above-mentioned sentence means?

If it can, then what this following sentence which is also from “Bro Cluster Architecture” means?
“The frontend is a discrete hardware device or on-host technique that splits traffic into many streams or flows. The Bro binary does not do this job”

5

"The packets can then be passed directly to a monitoring host where
each worker has a BPF filter to limit its visibility to only that stream
of flows, or onward to a commodity switch to split the traffic out to
multiple 1G interfaces for the workers."

Does this sentence means worker`s BPF filter can retransmit packets to other switch?

The "or onward" part is talking about what the front-end does, rather than
what the workers do. The front end *either* sends all packets to a host
for which each individual worker applies a (disjoint) BPF filter to the
stream to pick out those flows specifically for it; *or* the front end can
send the traffic to a switch that explicitly load-balances the traffic
across multiple 1G interfaces.

    Vern