mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Refactored FAF integration of intel framework.
File Analysis Framework related code has been moved into a separate script. Using redefinitions of the corresponding records causes the file-related columns to appear last.
This commit is contained in:
Jan Grashoefer
parent
5d340e669c
commit
1412de1798
13 changed files with 180 additions and 158 deletions
|
|
@ -1,5 +1,8 @@
|
||||||
@load ./main
|
@load ./main
|
||||||
|
|
||||||
|
# File analysis framework integration.
|
||||||
|
@load ./files
|
||||||
|
|
||||||
# The cluster framework must be loaded first.
|
# The cluster framework must be loaded first.
|
||||||
@load base/frameworks/cluster
|
@load base/frameworks/cluster
|
||||||
|
|
||||||
|
|
|
||||||
84
scripts/base/frameworks/intel/files.bro
Normal file
84
scripts/base/frameworks/intel/files.bro
Normal file
|
|
@ -0,0 +1,84 @@
|
||||||
|
##! File analysis framework integration for the intelligence framework. This
|
||||||
|
##! script manages file information in intelligence framework datastructures.
|
||||||
|
|
||||||
|
@load ./main
|
||||||
|
|
||||||
|
module Intel;
|
||||||
|
|
||||||
|
export {
|
||||||
|
## Enum type to represent various types of intelligence data.
|
||||||
|
redef enum Type += {
|
||||||
|
## File hash which is non-hash type specific. It's up to the
|
||||||
|
## user to query for any relevant hash types.
|
||||||
|
FILE_HASH,
|
||||||
|
## File name. Typically with protocols with definite
|
||||||
|
## indications of a file name.
|
||||||
|
FILE_NAME,
|
||||||
|
};
|
||||||
|
|
||||||
|
## Information about a piece of "seen" data.
|
||||||
|
redef record Seen += {
|
||||||
|
## If the data was discovered within a file, the file record
|
||||||
|
## should go here to provide context to the data.
|
||||||
|
f: fa_file &optional;
|
||||||
|
## If the data was discovered within a file, the file uid should
|
||||||
|
## go here to provide context to the data. If the *f* field is
|
||||||
|
## provided, this will be automatically filled out.
|
||||||
|
fuid: string &optional;
|
||||||
|
};
|
||||||
|
|
||||||
|
## Record used for the logging framework representing a positive
|
||||||
|
## hit within the intelligence framework.
|
||||||
|
redef record Info += {
|
||||||
|
## If a file was associated with this intelligence hit,
|
||||||
|
## this is the uid for the file.
|
||||||
|
fuid: string &log &optional;
|
||||||
|
## A mime type if the intelligence hit is related to a file.
|
||||||
|
## If the $f field is provided this will be automatically filled
|
||||||
|
## out.
|
||||||
|
file_mime_type: string &log &optional;
|
||||||
|
## Frequently files can be "described" to give a bit more context.
|
||||||
|
## If the $f field is provided this field will be automatically
|
||||||
|
## filled out.
|
||||||
|
file_desc: string &log &optional;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add file information to matches if available.
|
||||||
|
hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
|
||||||
|
{
|
||||||
|
if ( s?$f )
|
||||||
|
{
|
||||||
|
s$fuid = s$f$id;
|
||||||
|
|
||||||
|
if ( s$f?$conns && |s$f$conns| == 1 )
|
||||||
|
{
|
||||||
|
for ( cid in s$f$conns )
|
||||||
|
s$conn = s$f$conns[cid];
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
|
||||||
|
info$file_mime_type = s$f$info$mime_type;
|
||||||
|
|
||||||
|
if ( ! info?$file_desc )
|
||||||
|
info$file_desc = Files::describe(s$f);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( s?$fuid )
|
||||||
|
info$fuid = s$fuid;
|
||||||
|
|
||||||
|
if ( s?$conn )
|
||||||
|
{
|
||||||
|
s$uid = s$conn$uid;
|
||||||
|
info$id = s$conn$id;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( s?$uid )
|
||||||
|
info$uid = s$uid;
|
||||||
|
|
||||||
|
for ( item in items )
|
||||||
|
{
|
||||||
|
add info$sources[item$meta$source];
|
||||||
|
add info$matched[item$indicator_type];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -26,12 +26,6 @@ export {
|
||||||
DOMAIN,
|
DOMAIN,
|
||||||
## A user name.
|
## A user name.
|
||||||
USER_NAME,
|
USER_NAME,
|
||||||
## File hash which is non-hash type specific. It's up to the
|
|
||||||
## user to query for any relevant hash types.
|
|
||||||
FILE_HASH,
|
|
||||||
## File name. Typically with protocols with definite
|
|
||||||
## indications of a file name.
|
|
||||||
FILE_NAME,
|
|
||||||
## Certificate SHA-1 hash.
|
## Certificate SHA-1 hash.
|
||||||
CERT_HASH,
|
CERT_HASH,
|
||||||
## Public key MD5 hash. (SSH server host keys are a good example.)
|
## Public key MD5 hash. (SSH server host keys are a good example.)
|
||||||
|
|
@ -100,15 +94,6 @@ export {
|
||||||
## If the *conn* field is provided, this will be automatically
|
## If the *conn* field is provided, this will be automatically
|
||||||
## filled out.
|
## filled out.
|
||||||
uid: string &optional;
|
uid: string &optional;
|
||||||
|
|
||||||
## If the data was discovered within a file, the file record
|
|
||||||
## should go here to provide context to the data.
|
|
||||||
f: fa_file &optional;
|
|
||||||
|
|
||||||
## If the data was discovered within a file, the file uid should
|
|
||||||
## go here to provide context to the data. If the *f* field is
|
|
||||||
## provided, this will be automatically filled out.
|
|
||||||
fuid: string &optional;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
## Record used for the logging framework representing a positive
|
## Record used for the logging framework representing a positive
|
||||||
|
|
@ -124,19 +109,6 @@ export {
|
||||||
## this is the conn_id for the connection.
|
## this is the conn_id for the connection.
|
||||||
id: conn_id &log &optional;
|
id: conn_id &log &optional;
|
||||||
|
|
||||||
## If a file was associated with this intelligence hit,
|
|
||||||
## this is the uid for the file.
|
|
||||||
fuid: string &log &optional;
|
|
||||||
|
|
||||||
## A mime type if the intelligence hit is related to a file.
|
|
||||||
## If the $f field is provided this will be automatically filled
|
|
||||||
## out.
|
|
||||||
file_mime_type: string &log &optional;
|
|
||||||
## Frequently files can be "described" to give a bit more context.
|
|
||||||
## If the $f field is provided this field will be automatically
|
|
||||||
## filled out.
|
|
||||||
file_desc: string &log &optional;
|
|
||||||
|
|
||||||
## Where the data was seen.
|
## Where the data was seen.
|
||||||
seen: Seen &log;
|
seen: Seen &log;
|
||||||
## Which indicator types matched.
|
## Which indicator types matched.
|
||||||
|
|
@ -391,44 +363,6 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
|
||||||
Log::write(Intel::LOG, info);
|
Log::write(Intel::LOG, info);
|
||||||
}
|
}
|
||||||
|
|
||||||
hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
|
|
||||||
{
|
|
||||||
if ( s?$f )
|
|
||||||
{
|
|
||||||
s$fuid = s$f$id;
|
|
||||||
|
|
||||||
if ( s$f?$conns && |s$f$conns| == 1 )
|
|
||||||
{
|
|
||||||
for ( cid in s$f$conns )
|
|
||||||
s$conn = s$f$conns[cid];
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
|
|
||||||
info$file_mime_type = s$f$info$mime_type;
|
|
||||||
|
|
||||||
if ( ! info?$file_desc )
|
|
||||||
info$file_desc = Files::describe(s$f);
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( s?$fuid )
|
|
||||||
info$fuid = s$fuid;
|
|
||||||
|
|
||||||
if ( s?$conn )
|
|
||||||
{
|
|
||||||
s$uid = s$conn$uid;
|
|
||||||
info$id = s$conn$id;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( s?$uid )
|
|
||||||
info$uid = s$uid;
|
|
||||||
|
|
||||||
for ( item in items )
|
|
||||||
{
|
|
||||||
add info$sources[item$meta$source];
|
|
||||||
add info$matched[item$indicator_type];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
function insert(item: Item)
|
function insert(item: Item)
|
||||||
{
|
{
|
||||||
# Create and fill out the meta data item.
|
# Create and fill out the meta data item.
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path loaded_scripts
|
#path loaded_scripts
|
||||||
#open 2016-06-07-19-22-42
|
#open 2016-06-15-19-16-09
|
||||||
#fields name
|
#fields name
|
||||||
#types string
|
#types string
|
||||||
scripts/base/init-bare.bro
|
scripts/base/init-bare.bro
|
||||||
|
|
@ -177,6 +177,7 @@ scripts/base/init-default.bro
|
||||||
scripts/base/frameworks/communication/main.bro
|
scripts/base/frameworks/communication/main.bro
|
||||||
scripts/base/frameworks/intel/__load__.bro
|
scripts/base/frameworks/intel/__load__.bro
|
||||||
scripts/base/frameworks/intel/main.bro
|
scripts/base/frameworks/intel/main.bro
|
||||||
|
scripts/base/frameworks/intel/files.bro
|
||||||
scripts/base/frameworks/intel/input.bro
|
scripts/base/frameworks/intel/input.bro
|
||||||
scripts/base/frameworks/sumstats/__load__.bro
|
scripts/base/frameworks/sumstats/__load__.bro
|
||||||
scripts/base/frameworks/sumstats/main.bro
|
scripts/base/frameworks/sumstats/main.bro
|
||||||
|
|
@ -310,4 +311,4 @@ scripts/base/init-default.bro
|
||||||
scripts/base/misc/find-checksum-offloading.bro
|
scripts/base/misc/find-checksum-offloading.bro
|
||||||
scripts/base/misc/find-filtered-trace.bro
|
scripts/base/misc/find-filtered-trace.bro
|
||||||
scripts/policy/misc/loaded-scripts.bro
|
scripts/policy/misc/loaded-scripts.bro
|
||||||
#close 2016-06-07-19-22-42
|
#close 2016-06-15-19-16-09
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-03-22-18-11-20
|
#open 2016-06-15-19-11-27
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1458670280.078658 - - - - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-2 Intel::ADDR worker-1
|
1466017887.060652 - - - - - 123.123.123.123 Intel::ADDR Intel::IN_ANYWHERE worker-2 Intel::ADDR worker-1 - - -
|
||||||
#close 2016-03-22-18-11-29
|
#close 2016-06-15-19-11-36
|
||||||
|
|
|
||||||
|
|
@ -3,13 +3,13 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-06-09-19-48-59
|
#open 2016-06-15-19-11-06
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1465501739.703996 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466017866.348490 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
1465501740.704649 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466017867.349583 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
1465501741.705204 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466017868.349656 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
#close 2016-06-09-19-49-05
|
#close 2016-06-15-19-11-12
|
||||||
Trigger: 1.2.3.4
|
Trigger: 1.2.3.4
|
||||||
Seen: 1.2.3.4
|
Seen: 1.2.3.4
|
||||||
Trigger: 1.2.3.4
|
Trigger: 1.2.3.4
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-03-22-18-11-32
|
#open 2016-06-15-19-12-26
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1458670292.167298 - - - - - - - - e@mail.com Intel::EMAIL SOMEWHERE bro Intel::EMAIL source1
|
1466017946.413077 - - - - - e@mail.com Intel::EMAIL SOMEWHERE bro Intel::EMAIL source1 - - -
|
||||||
1458670292.167298 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466017946.413077 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
#close 2016-03-22-18-11-32
|
#close 2016-06-15-19-12-26
|
||||||
|
|
|
||||||
|
|
@ -3,13 +3,13 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-05-11-16-59-39
|
#open 2016-06-15-19-14-07
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1462985979.596867 - - - - - - - - 192.168.1.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466018047.083068 - - - - - 192.168.1.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
1462985979.596867 - - - - - - - - 192.168.2.1 Intel::ADDR SOMEWHERE bro Intel::SUBNET source1
|
1466018047.083068 - - - - - 192.168.2.1 Intel::ADDR SOMEWHERE bro Intel::SUBNET source1 - - -
|
||||||
1462985979.596867 - - - - - - - - 192.168.142.1 Intel::ADDR SOMEWHERE bro Intel::ADDR,Intel::SUBNET source1
|
1466018047.083068 - - - - - 192.168.142.1 Intel::ADDR SOMEWHERE bro Intel::ADDR,Intel::SUBNET source1 - - -
|
||||||
#close 2016-05-11-16-59-39
|
#close 2016-06-15-19-14-07
|
||||||
|
|
||||||
Seen: [indicator=192.168.1.1, indicator_type=Intel::ADDR, host=192.168.1.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
|
Seen: [indicator=192.168.1.1, indicator_type=Intel::ADDR, host=192.168.1.1, where=SOMEWHERE, node=bro, conn=<uninitialized>, uid=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>]
|
||||||
Item: [indicator=192.168.1.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/1]]
|
Item: [indicator=192.168.1.1, indicator_type=Intel::ADDR, meta=[source=source1, desc=this host is just plain baaad, url=http://some-data-distributor.com/1]]
|
||||||
|
|
|
||||||
|
|
@ -3,11 +3,11 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-03-22-18-11-40
|
#open 2016-06-15-19-14-30
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1458670300.363597 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-1 Intel::ADDR source1
|
1466018070.494693 - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-1 Intel::ADDR source1 - - -
|
||||||
1458670300.363597 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-1 Intel::EMAIL source1
|
1466018070.494693 - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-1 Intel::EMAIL source1 - - -
|
||||||
1458670301.370555 - - - - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-2 Intel::ADDR source1
|
1466018071.505800 - - - - - 1.2.3.4 Intel::ADDR Intel::IN_A_TEST worker-2 Intel::ADDR source1 - - -
|
||||||
1458670301.370555 - - - - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-2 Intel::EMAIL source1
|
1466018071.505800 - - - - - e@mail.com Intel::EMAIL Intel::IN_A_TEST worker-2 Intel::EMAIL source1 - - -
|
||||||
#close 2016-03-22-18-11-49
|
#close 2016-06-15-19-14-39
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-03-30-16-01-31
|
#open 2016-06-15-19-10-09
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1459353691.470304 - - - - - - - - 10.10.10.10 Intel::ADDR Intel::IN_ANYWHERE worker-1 Intel::ADDR end
|
1466017809.810005 - - - - - 10.10.10.10 Intel::ADDR Intel::IN_ANYWHERE worker-1 Intel::ADDR end - - -
|
||||||
#close 2016-03-30-16-01-41
|
#close 2016-06-15-19-10-19
|
||||||
|
|
|
||||||
|
|
@ -3,23 +3,23 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-03-22-18-11-51
|
#open 2016-06-15-19-09-12
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1458670311.505318 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1
|
1466017751.936022 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source1 - - -
|
||||||
1458670314.509318 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source2,source1
|
1466017754.938975 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source2,source1 - - -
|
||||||
1458670314.509318 - - - - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source2
|
1466017754.938975 - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source2 - - -
|
||||||
1458670317.513183 - - - - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source2,source1
|
1466017757.941783 - - - - - 1.2.3.4 Intel::ADDR SOMEWHERE bro Intel::ADDR source2,source1 - - -
|
||||||
1458670317.513183 - - - - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source2
|
1466017757.941783 - - - - - 4.3.2.1 Intel::ADDR SOMEWHERE bro Intel::ADDR source2 - - -
|
||||||
#close 2016-03-22-18-11-57
|
#close 2016-06-15-19-09-18
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path notice
|
#path notice
|
||||||
#open 2016-03-22-18-11-57
|
#open 2016-06-15-19-09-18
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
|
||||||
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
|
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
|
||||||
1458670317.513183 - - - - - - - - - Intel::Notice Intel hit on 1.2.3.4 at SOMEWHERE 1.2.3.4 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
1466017757.941783 - - - - - - - - - Intel::Notice Intel hit on 1.2.3.4 at SOMEWHERE 1.2.3.4 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
||||||
1458670317.513183 - - - - - - - - - Intel::Notice Intel hit on 4.3.2.1 at SOMEWHERE 4.3.2.1 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
1466017757.941783 - - - - - - - - - Intel::Notice Intel hit on 4.3.2.1 at SOMEWHERE 4.3.2.1 - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
|
||||||
#close 2016-03-22-18-11-57
|
#close 2016-06-15-19-09-18
|
||||||
|
|
|
||||||
|
|
@ -3,23 +3,23 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-05-11-16-32-08
|
#open 2016-06-15-19-08-03
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1416942644.593119 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 Fi6J8q3lDJpbQWAnvi application/pkix-cert 23.92.19.75:443/tcp www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1
|
1416942644.593119 CXWv6p3arKYeMETxOg 192.168.4.149 49422 23.92.19.75 443 www.pantz.org Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 Fi6J8q3lDJpbQWAnvi application/pkix-cert 23.92.19.75:443/tcp
|
||||||
#close 2016-05-11-16-32-08
|
#close 2016-06-15-19-08-03
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#set_separator ,
|
#set_separator ,
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-05-11-16-32-08
|
#open 2016-06-15-19-08-03
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1170717505.735416 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 FeCwNK3rzqPnZ7eBQ5 application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1
|
1170717505.735416 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FeCwNK3rzqPnZ7eBQ5 application/pkix-cert 194.127.84.106:443/tcp
|
||||||
1170717505.934612 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 FeCwNK3rzqPnZ7eBQ5 - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1
|
1170717505.934612 CXWv6p3arKYeMETxOg 192.150.187.164 58868 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FeCwNK3rzqPnZ7eBQ5 - -
|
||||||
1170717508.883051 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 FjkLnG4s34DVZlaBNc application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1
|
1170717508.883051 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FjkLnG4s34DVZlaBNc application/pkix-cert 194.127.84.106:443/tcp
|
||||||
1170717509.082241 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 FjkLnG4s34DVZlaBNc - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1
|
1170717509.082241 CjhGID4nQcgTWjvg4c 192.150.187.164 58869 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FjkLnG4s34DVZlaBNc - -
|
||||||
1170717511.909717 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 FQXAWgI2FB5STbrff application/pkix-cert 194.127.84.106:443/tcp 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1
|
1170717511.909717 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 2c322ae2b7fe91391345e070b63668978bb1c9da Intel::CERT_HASH X509::IN_CERT bro Intel::CERT_HASH source1 FQXAWgI2FB5STbrff application/pkix-cert 194.127.84.106:443/tcp
|
||||||
1170717512.108799 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 FQXAWgI2FB5STbrff - - www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1
|
1170717512.108799 CCvvfg3TEfuqmmG4bh 192.150.187.164 58870 194.127.84.106 443 www.dresdner-privat.de Intel::DOMAIN X509::IN_CERT bro Intel::DOMAIN source1 FQXAWgI2FB5STbrff - -
|
||||||
#close 2016-05-11-16-32-08
|
#close 2016-06-15-19-08-03
|
||||||
|
|
|
||||||
|
|
@ -3,27 +3,27 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path intel
|
#path intel
|
||||||
#open 2016-05-11-19-38-30
|
#open 2016-06-15-19-06-02
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node matched sources
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc
|
||||||
#types time string addr port addr port string string string string enum enum string set[enum] set[string]
|
#types time string addr port addr port string enum enum string set[enum] set[string] string string string
|
||||||
1300475168.853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.853899 CPbrpk1qSsw6ESzHV4 141.142.220.118 43927 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.854837 CIPOse170MGiRM1Qf4 141.142.220.118 40526 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.857956 CMXxB5GvmoxJFXdTa 141.142.220.118 32902 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.857956 CMXxB5GvmoxJFXdTa 141.142.220.118 32902 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.858713 Che1bq3i2rO3KD1Syg 141.142.220.118 59714 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.858713 Che1bq3i2rO3KD1Syg 141.142.220.118 59714 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.891644 CEle3f3zno26fFZkrh 141.142.220.118 58206 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.891644 CEle3f3zno26fFZkrh 141.142.220.118 58206 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.892414 CfTOmO0HKorjr8Zp7 141.142.220.118 59746 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.892414 CfTOmO0HKorjr8Zp7 141.142.220.118 59746 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.893988 Cab0vO1xNYSS2hJkle 141.142.220.118 45000 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.893988 Cab0vO1xNYSS2hJkle 141.142.220.118 45000 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.894787 Cx3C534wEyF3OvvcQe 141.142.220.118 48128 141.142.2.2 53 - - - upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1
|
1300475168.894787 Cx3C534wEyF3OvvcQe 141.142.220.118 48128 141.142.2.2 53 upload.wikimedia.org Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.916018 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.916018 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.916183 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.916183 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.918358 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.918358 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.952296 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.952296 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.952307 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.952307 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.954820 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.954820 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.975934 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.975934 CJ3xTn1c4Zw9TmAE05 141.142.220.118 49997 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.976436 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.976436 C7XEbhP654jzLoe3a 141.142.220.118 49996 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475168.979264 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475168.979264 C3SfNE4BWaU4aSuwkc 141.142.220.118 49998 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475169.014593 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475169.014593 CzA03V1VcgagLjnO92 141.142.220.118 49999 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475169.014619 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475169.014619 CyAhVIzHqb7t7kv28 141.142.220.118 50000 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
1300475169.014927 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 - - - upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1
|
1300475169.014927 CkDsfG2YIeWJmXWNWj 141.142.220.118 50001 208.80.152.3 80 upload.wikimedia.org Intel::DOMAIN HTTP::IN_HOST_HEADER bro Intel::DOMAIN source1 - - -
|
||||||
#close 2016-05-11-19-38-30
|
#close 2016-06-15-19-06-02
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue