grigorescu

First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named “intel1.dat” with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators.

#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source

The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your “intel1.dat” file and call it “intel-1.bro”.

grigorescu

awk 'BEGIN {FS="\t"};{for(i=1;i<=NF;i++) printf("\x1b[%sm %s \x1b[0m",(i%7)+31,$i);print ""}'

grigorescu

#!/bin/sh

#########################
## 
## Setup
##
#########################

# Set some vars

grigorescu

cluster.name: logs
# Puppet-ism to put in the hostname and IP
node.name: <%= @hostname %>
network.host: <%= @ipaddress %>

# Turn off multicast autodiscovery
discovery.zen.ping.unicast.hosts: 172.1.1.100:9300, 172.1.1.101:9300

index.number_of_shards: 4
index.routing.allocation.total_shards_per_node: 1

grigorescu

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
 
int main(void)
{