base/frameworks/intel/main.bro

Intel

The intelligence framework provides a way to store and query intelligence data (e.g. IP addresses, URLs and hashes). The intelligence items can be associated with metadata to allow informed decisions about matching and handling.

Namespace:Intel
Imports:base/frameworks/notice
Source File:/scripts/base/frameworks/intel/main.bro

Summary

Options

Intel::item_expiration: interval &redef The expiration timeout for intelligence items.

Types

Intel::Info: record Record used for the logging framework representing a positive hit within the intelligence framework.
Intel::Item: record Represents a piece of intelligence.
Intel::MetaData: record Data about an Intel::Item.
Intel::Seen: record Information about a piece of “seen” data.
Intel::Type: enum Enum type to represent various types of intelligence data.
Intel::TypeSet: set Set of intelligence data types.
Intel::Where: enum Enum to represent where data came from when it was discovered.

Redefinitions

Log::ID: enum  

Events

Intel::log_intel: event  
Intel::match: event Event to represent a match in the intelligence data from data that was seen.

Hooks

Intel::extend_match: hook This hook can be used to influence the logging of intelligence hits (e.g.
Intel::item_expired: hook This hook can be used to handle expiration of intelligence items.

Functions

Intel::insert: function Function to insert intelligence data.
Intel::remove: function Function to remove intelligence data.
Intel::seen: function Function to declare discovery of a piece of data in order to check it against known intelligence for matches.

Detailed Interface

Options

Intel::item_expiration
Type:interval
Attributes:&redef
Default:10.0 mins

The expiration timeout for intelligence items. Once an item expires, the Intel::item_expired hook is called. Reinsertion of an item resets the timeout. A negative value disables expiration of intelligence items.

Types

Intel::Info
Type:

record

ts: time &log

Timestamp when the data was discovered.

uid: string &log &optional

If a connection was associated with this intelligence hit, this is the uid for the connection

id: conn_id &log &optional

If a connection was associated with this intelligence hit, this is the conn_id for the connection.

seen: Intel::Seen &log

Where the data was seen.

matched: Intel::TypeSet &log

Which indicator types matched.

sources: set [string] &log &default = {  } &optional

Sources which supplied data that resulted in this match.

fuid: string &log &optional

(present if base/frameworks/intel/files.bro is loaded)

If a file was associated with this intelligence hit, this is the uid for the file.

file_mime_type: string &log &optional

(present if base/frameworks/intel/files.bro is loaded)

A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out.

file_desc: string &log &optional

(present if base/frameworks/intel/files.bro is loaded)

Frequently files can be “described” to give a bit more context. If the $f field is provided this field will be automatically filled out.

Record used for the logging framework representing a positive hit within the intelligence framework.

Intel::Item
Type:

record

indicator: string

The intelligence indicator.

indicator_type: Intel::Type

The type of data that the indicator field represents.

meta: Intel::MetaData

Metadata for the item. Typically represents more deeply descriptive data for a piece of intelligence.

Represents a piece of intelligence.

Intel::MetaData
Type:

record

source: string

An arbitrary string value representing the data source. This value is used as unique key to identify a metadata record in the scope of a single intelligence item.

desc: string &optional

A freeform description for the data.

url: string &optional

A URL for more information about the data.

do_notice: bool &default = F &optional

(present if policy/frameworks/intel/do_notice.bro is loaded)

A boolean value to allow the data itself to represent if the indicator that this metadata is attached to is notice worthy.

if_in: Intel::Where &optional

(present if policy/frameworks/intel/do_notice.bro is loaded)

Restrictions on when notices are created to only create them if the do_notice field is T and the notice was seen in the indicated location.

whitelist: bool &default = F &optional

(present if policy/frameworks/intel/whitelist.bro is loaded)

A boolean value to indicate whether the item is whitelisted.

cif_impact: string &optional

(present if policy/integration/collective-intel/main.bro is loaded)

Maps to the Impact field in the Collective Intelligence Framework.

cif_severity: string &optional

(present if policy/integration/collective-intel/main.bro is loaded)

Maps to the Severity field in the Collective Intelligence Framework.

cif_confidence: double &optional

(present if policy/integration/collective-intel/main.bro is loaded)

Maps to the Confidence field in the Collective Intelligence Framework.

Data about an Intel::Item.

Intel::Seen
Type:

record

indicator: string &log &optional

The string if the data is about a string.

indicator_type: Intel::Type &log &optional

The type of data that the indicator represents.

host: addr &optional

If the indicator type was Intel::ADDR, then this field will be present.

where: Intel::Where &log

Where the data was discovered.

node: string &optional &log

The name of the node where the match was discovered.

conn: connection &optional

If the data was discovered within a connection, the connection record should go here to give context to the data.

uid: string &optional

If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out.

f: fa_file &optional

(present if base/frameworks/intel/files.bro is loaded)

If the data was discovered within a file, the file record should go here to provide context to the data.

fuid: string &optional

(present if base/frameworks/intel/files.bro is loaded)

If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out.

Information about a piece of “seen” data.

Intel::Type
Type:

enum

Intel::ADDR

An IP address.

Intel::SUBNET

A subnet in CIDR notation.

Intel::URL

A complete URL without the prefix "http://".

Intel::SOFTWARE

Software name.

Intel::EMAIL

Email address.

Intel::DOMAIN

DNS domain name.

Intel::USER_NAME

A user name.

Intel::CERT_HASH

Certificate SHA-1 hash.

Intel::PUBKEY_HASH

Public key MD5 hash. (SSH server host keys are a good example.)

Intel::FILE_HASH

(present if base/frameworks/intel/files.bro is loaded)

File hash which is non-hash type specific. It’s up to the user to query for any relevant hash types.

Intel::FILE_NAME

(present if base/frameworks/intel/files.bro is loaded)

File name. Typically with protocols with definite indications of a file name.

Enum type to represent various types of intelligence data.

Intel::TypeSet
Type:set [Intel::Type]

Set of intelligence data types.

Intel::Where
Type:

enum

Intel::IN_ANYWHERE

A catchall value to represent data of unknown provenance.

Conn::IN_ORIG

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

Conn::IN_RESP

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

Files::IN_HASH

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

Files::IN_NAME

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

DNS::IN_REQUEST

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

DNS::IN_RESPONSE

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

HTTP::IN_HOST_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

HTTP::IN_REFERRER_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

HTTP::IN_USER_AGENT_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

HTTP::IN_X_FORWARDED_FOR_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

HTTP::IN_URL

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_MAIL_FROM

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_RCPT_TO

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_FROM

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_TO

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_CC

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_RECEIVED_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_REPLY_TO

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_X_ORIGINATING_IP_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_MESSAGE

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SSH::IN_SERVER_HOST_KEY

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SSL::IN_SERVER_NAME

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SMTP::IN_HEADER

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

X509::IN_CERT

(present if policy/frameworks/intel/seen/where-locations.bro is loaded)

SSH::SUCCESSFUL_LOGIN

(present if policy/protocols/ssh/detect-bruteforcing.bro is loaded)

An indicator of the login for the intel framework.

Enum to represent where data came from when it was discovered. The convention is to prefix the name with IN_.

Events

Intel::log_intel
Type:event (rec: Intel::Info)
Intel::match
Type:event (s: Intel::Seen, items: set [Intel::Item])

Event to represent a match in the intelligence data from data that was seen. On clusters there is no assurance as to when this event will be generated so do not assume that arbitrary global state beyond the given data will be available.

This is the primary mechanism where a user may take actions based on data provided by the intelligence framework.

Hooks

Intel::extend_match
Type:hook (info: Intel::Info, s: Intel::Seen, items: set [Intel::Item]) : bool

This hook can be used to influence the logging of intelligence hits (e.g. by adding data to the Info record). The default information is added with a priority of 5.

Info:The Info record that will be logged.
S:Information about the data seen.
Items:The intel items that match the seen data.

In case the hook execution is terminated using break, the match will not be logged.

Intel::item_expired
Type:hook (indicator: string, indicator_type: Intel::Type, metas: set [Intel::MetaData]) : bool

This hook can be used to handle expiration of intelligence items.

Indicator:The indicator of the expired item.
Indicator_type:The indicator type of the expired item.
Metas:The set of metadata describing the expired item.

If all hook handlers are executed, the expiration timeout will be reset. Otherwise, if one of the handlers terminates using break, the item will be removed.

Functions

Intel::insert
Type:function (item: Intel::Item) : void

Function to insert intelligence data. If the indicator is already present, the associated metadata will be added to the indicator. If the indicator already contains a metadata record from the same source, the existing metadata record will be updated.

Intel::remove
Type:function (item: Intel::Item, purge_indicator: bool &default = F &optional) : void

Function to remove intelligence data. If purge_indicator is set, the given metadata is ignored and the indicator is removed completely.

Intel::seen
Type:function (s: Intel::Seen) : void

Function to declare discovery of a piece of data in order to check it against known intelligence for matches.

Copyright 2016, The Bro Project. Last updated on December 07, 2018. Created using Sphinx 1.8.2.