Bro Intel Framework Exercises

Note: Our current website is at www.zeek.org. This website is unmaintained and contains outdated information.

Bro 2.2 includes an updated Intelligence framework for importing and matching intelligence data.

For all of these exercises we’ll be using the exercise-traffic.pcap file.

Exercise

First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named "intel-1.dat" with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators.

#fields   indicator       indicator_type  meta.source
fetchback.com     Intel::DOMAIN   my_special_source

The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your "intel-1.dat" file and call it "intel-1.bro".

@load frameworks/intel/seen

redef Intel::read_files += {
  fmt("%s/intel-1.dat", @DIR)
};

Now run.

bro -r exercise-traffic.pcap intel-1.bro

There should be no output in the terminal but there should be some content in a file named "intel.log". Take a look at that file.

Exercise

It’s very possible that hits on intelligence could be something that you want turned into a notice even though the basic intel framework does not provide that functionality. This is an example of data driven notice creation with the "do_notice.bro" script that is included with Bro. Create a new Bro script named "intel-2.bro" with the following script.

@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    fmt("%s/intel-2.dat", @DIR)
};

Now we need to create a paired intelligence file. Create "intel-2.dat".

#fields indicator   indicator_type  meta.source meta.do_notice
fetchback.com   Intel::DOMAIN   my_special_source   T

The only difference from the previous intelligence file is the do_notice column. Now run.

bro -r exercise-traffic.pcap intel-2.bro

Exercise

Perhaps you decided though that seeing hits on your intelligence in certain locations is not actually what you wanted. The same "do_notice" script has the ability to limit your notices by the location that the intelligence was seen. Create a new "intel-3.dat" file that shows you are only interested in matching the intelligence if it was seen in the host header.

#fields indicator   indicator_type  meta.source meta.do_notice  meta.if_in
fetchback.com   Intel::DOMAIN   my_special_source   T   HTTP::IN_HOST_HEADER

The only change that needs to happen in the script is to load the new intelligence file, but we will include the new script here. Name it "intel-3.bro".

@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    fmt("%s/intel-3.dat", @DIR)
};

Now run this script:

bro -r exercise-traffic.pcap intel-3.bro

Quick Links

Upcoming Events

13 February 2020: Ask the Zeeksperts - Aashish Sharma
18 February 2020 - Portland OR: Zeek Days Workshops
27 February 2020: Ask the Zeeksperts
7-9 October 2020 - Austin, Texas: ZeekWeek 2020

All Events

Zeek YouTube channel

Try Zeek in your browser

Internal Pages

TOP

Page Contents

Quick Links

Twitter @zeekurity

Blog

Search

Resources

Partners

About

Major Supporters