Lu Goon created BIT-1539:
----------------------------
Summary: Adding intel to intel framework Bro is not loading the
file
Key: BIT-1539
URL: https://bro-tracker.atlassian.net/browse/BIT-1539
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: 2.4
Environment: CentOS 7.2. 1511 kernel version 3.10
Reporter: Lu Goon
We wanted to get our intel ( bad IPs) in to bro for alerting using the intel
framework. I crafted a file of BAD IPs based on the documentation on the site.
Also based this on the critical stack implementation as well.
I provided the following fields: indicator, indicator_type, meta.source,
meta.desc, meta.do_notice.
thus a sample entry would be
1.2.3.4 \t Intel::ADDR \t MY INTEL \t My bad IP list \t F
Per the documentation it should write all that into the intel.log file if
activated in the local.bro file
either using broctl or bro -i ens33 local.bro. There is no indication in loaded
scripts that the files loads.
Also in my local.bro file I include.
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
redef Intel::read_files += { "/usr/local/bro/upload/intel.dat"};
Any help on debugging why this file is not loading or indication of if it is
loaded?
--
This message was sent by Atlassian JIRA
(v7.2.0-OD-02-009#72000)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
