My IP = 1.2.3.4 Proxy IP = 1.1.1.1 Other endpoints on network = 4.4.4.4 (generating intel hits) / 4.3.2.1 (should be generating intel hits, but isn’t) Bro alerting issue user@server:/nsm/bro/logs$ zcat sensor1/2016-09-07/http_eth1.* | grep 1.2.3.4 | grep www.reddit.com 1473248892.645222 C23n4e1PTpQz3UO5al 1.2.3.4 59308 1.1.1.1 8080 1 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 666 407 Proxy Authorization Required - - - (empty) - - PROXY-CONNECTION -> keep-alive - - FWhPcw1TwkWMabzQ7g text/html 1473248893.216726 CBKm06SJakaTsANth 1.2.3.4 59327 1.1.1.1 8080 1 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 0 - - - - -(empty) - - PROXY-CONNECTION -> keep-alive - - - - 1473248893.233924 CBKm06SJakaTsANth 1.2.3.4 59327 1.1.1.1 8080 2 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 0 - - - - -(empty) - - PROXY-CONNECTION -> keep-alive - - - - 1473248931.098214 Cv7kT13qomu3VUu8Wh 1.2.3.4 59651 1.1.1.1 8080 1 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 666 407 Proxy Authorization Required - - - (empty) - - PROXY-CONNECTION -> keep-alive - - FFTEBh28TGzNKJo8va text/html 1473248931.820902 C0M8nw4ebTvvfjJh 1.2.3.4 59692 1.1.1.1 8080 1 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 666 407 Proxy Authorization Required - - - (empty) - - PROXY-CONNECTION -> keep-alive - - FfN6NA4jZw5S21XjDj text/html 1473248931.115364 Cv7kT13qomu3VUu8Wh 1.2.3.4 59651 1.1.1.1 8080 2 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 0 200 Connection established - - - (empty) - - PROXY-CONNECTION -> keep-alive - - - - 1473248931.845491 C0M8nw4ebTvvfjJh 1.2.3.4 59692 1.1.1.1 8080 2 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 0 200 Connection established - - - (empty) - - PROXY-CONNECTION -> keep-alive - - - - 1473249206.955755 CLhMLV17bt3Vaf7Qw5 1.2.3.4 60041 1.1.1.1 8080 1 CONNECT www.reddit.com www.reddit.com:443 - Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 0 666 407 Proxy Authorization Required - - - (empty) - - PROXY-CONNECTION -> keep-alive - - FzEhOe4k3zzdqcrtIg text/html user@server:/nsm/bro/logs$ zcat sensor1/2016-09-07/intel* | grep 1.2.3.4 | grep www.reddit.com user@server:/nsm/bro/logs$ user@server:/nsm/bro/logs$ zcat sensor1/2016-09-07/intel.* | grep reddit.com 1473220073.848474 C2FF8u2ep8UsReEb27 4.4.4.4 59224 205.171.2.65 53 - - -www.reddit.com Intel::DOMAIN DNS::IN_REQUEST sensor1-eth1-2 Test IOC 1473220073.927123 CjMlrm2r3QE720aFTc 4.4.4.4 60795 198.41.209.138 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-4 Test IOC 1473220594.880523 Cvs08s3O7DsrBZaLW8 4.4.4.4 40867 205.171.2.65 53 - - -www.reddit.com Intel::DOMAIN DNS::IN_REQUEST sensor1-eth1-5 Test IOC 1473220595.005924 C91g5E4SkvGbCRrNh6 4.4.4.4 58814 198.41.208.142 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-3 Test IOC 1473220616.568481 CTxDDv1GXCTEkRZRZ2 4.4.4.4 58893 198.41.208.142 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-2 Test IOC 1473223504.003580 C1Tb5v3lRvuM2tR5Wk 4.4.4.4 4405 205.171.2.65 53 - - -www.reddit.com Intel::DOMAIN DNS::IN_REQUEST sensor1-eth1-3 Test IOC 1473223504.079370 COkVvDjGtJyCOyel9 4.4.4.4 60982 198.41.209.138 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-3 Test IOC 1473223562.292867 CCnkqn1fpwdKkK7Ytd 4.4.4.4 32826 198.41.209.138 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-2 Test IOC 1473225055.294059 CxdZLB2ZJL4VZyxV6d 4.4.4.4 3278 205.171.2.65 53 - - -www.reddit.com Intel::DOMAIN DNS::IN_REQUEST sensor1-eth1-4 Test IOC 1473225055.369528 CKLjQF2svbR3ennnSj 4.4.4.4 48361 198.41.209.136 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-5 Test IOC 1473225314.801533 CH1Lsn22pBxjOQEtBh 4.4.4.4 53670 205.171.2.65 53 - - -www.reddit.com Intel::DOMAIN DNS::IN_REQUEST sensor1-eth1-3 Test IOC 1473225314.922182 COgO6Y14Wl3x0zqace 4.4.4.4 39985 198.41.208.137 443 - - -www.reddit.com Intel::DOMAIN SSL::IN_SERVER_NAME sensor1-eth1-1 Test IOC ----------------------------------------------------------------------- user@server:/nsm/bro/logs$ zcat sensor2/2016-09-07/conn.* | grep 222.73.144 1473210537.191260 C59dYd423UrJVUYzmg 4.3.2.1 50012 222.73.144.180 80 tcp - 3.009673 0 0 S0 T F 0 S 2 104 0 0 (empty) - CN sensor2-eth1 1473210546.206900 CU37Fl2J39XiApjYzi 4.3.2.1 50012 222.73.144.180 80 tcp - - - - S0 T F 0 S 1 48 0 0 (empty) - CN sensor2-eth1 user@server:/nsm/bro/logs$ zcat sensor2/2016-09-07/intel* | grep 222.73.144 user@server:/nsm/bro/logs$ datacenter@server:/nsm/bro/logs$ cat /opt/bro/share/bro/intel/intel.dat #fields indicator indicator_type meta.source meta.do_notice # EXAMPLES: #66.32.119.38 Intel::ADDR Test Address T #www.honeynet.org Intel::DOMAIN Test Domain T #4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T www.reddit.com Intel::DOMAIN Test IOC F 222.73.144.188 Intel::ADDR Test IOC T 222.73.144.201 Intel::ADDR Test IOC T ------------------------------------------------------------------------------------------------- user@server:/opt/bro/share/bro/intel$ cat __load__.bro @load frameworks/intel/seen @load frameworks/intel/do_notice @load frameworks/files/hash-all-files redef Intel::read_files += { "/opt/bro/share/bro/intel/intel.dat", "/opt/bro/share/bro/intel/intel_domains.dat" };