SO 16.04 Bro intel.dat not working anymore
Christian Sommer
we recentyl switched to SO 16.04 and noticed, that Bro doesn't produce an intel.log anymore.
The intel.dat is fine (same file working perfectly on some boxes still on SO 14.04)
The reporter.log is empty. Also sostat isn't showing any problems.
Any idea how to fix this?
BR
Chris
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Christian Sommer
yes the __load__.bro in in the loaded_scripts.log and contains the path to the intel.dat
grep -i intel /nsm/bro/logs/current/loaded_scripts.log
{"name":" /opt/bro/share/bro/base/frameworks/intel/__load__.bro"}
{"name":" /opt/bro/share/bro/base/frameworks/intel/main.bro"}
{"name":" /opt/bro/share/bro/base/frameworks/intel/files.bro"}
{"name":" /opt/bro/share/bro/base/frameworks/intel/cluster.bro"}
{"name":" /opt/bro/share/bro/base/frameworks/intel/input.bro"}
{"name":" /opt/bro/share/bro/intel/__load__.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/__load__.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/conn-established.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/where-locations.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/dns.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/file-hashes.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/file-names.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/http-headers.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/http-url.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/pubkey-hashes.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/ssl.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/smtp.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/smtp-url-extraction.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/seen/x509.bro"}
{"name":" /opt/bro/share/bro/policy/frameworks/intel/do_notice.bro"}
cat /opt/bro/share/bro/intel/__load__.bro
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
redef Intel::read_files += {
"/opt/bro/share/bro/intel/intel.dat"
};
Erwin
do you have any idea why it´s not working?
Regards,
Erwin
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Erwin
we do now get a intel.log - so far so good.
But the more important thing is: we do not have any BRO Alert in Squert.
We checked Sguil DB, we dont have any entry for BRO/Intel/Notice in MySQL.
But there are IDS entrys.
Netsniff-NG Config seems ok we can see the source "intel" is ok.
Bro Agent is also working.
Could there be a Permission Problem as there is now a randomized password for the MySQL?
thanks,
Erwin
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Erwin
yes is there something changed in 16.04 from 14.04, it could broke it?
We do not see a Intel Log in ELK aswell something is going on here.
Is it possible we do have a mysql issue here as it was changed to a random password?
thank you,
Erwin
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Erwin
thank you for the support, we will check this, and get back to you.
Regards,
Erwin
Erwin
right now we rewrite the code of the bro agent to run with json again, we will see if it works ;)
Anyway, we have the problem the intel.log is empty and does not catch the interessting stuff out in there.
We tested with curl xxx.xyz whateever domain.
any clue why do not see any intel.log?
LOG is Empty from LS/EL, no clues in there...
Thanks,
Erwin
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.