Perhaps you decided though that seeing hits on your intelligence in certain locations is not actually what you wanted. The same do_notice script has the ability to limit your notices by the location that the intelligence was seen. Create a new intel-3.dat file that shows you are only interested in matching the intelligence if it was seen in the host header.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source<TAB>meta.do_notice<TAB>meta.if_in
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source<TAB>T<TAB>HTTP::IN_HOST_HEADER

The only change that needs to happen in the script is to load the new intelligence file, but we will include the new script here. Name it intel-3.bro.

@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    "/home/bro/pcap/intel-3.dat"
};

Now run this script:

bro -r /opt/TrafficSamples/exercise-traffic.pcap intel-3.bro

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

3-intel-notice-on-types.md

3-intel-notice-on-types.md

Files

3-intel-notice-on-types.md

Latest commit

History

3-intel-notice-on-types.md

File metadata and controls