├── README.md ├── __load__.bro └── etpro_intel.bro /README.md: -------------------------------------------------------------------------------- 1 | #Installing ET Intelligence in Bro 2 | 3 | #####Make a new directory for the ET bro iprep files to live in 4 | 5 | ```` 6 | [rsh@sensor1 opt]$ mkdir /opt/etpro_bro 7 | [rsh@sensor1 opt]$ cd /opt/etpro_bro 8 | ```` 9 | 10 | #####Grab \_\_load\_\_.bro and etpro_intel.bro from the EmergingThreats github at https://github.com/EmergingThreats/bro. 11 | 12 | \_\_load\_\_.bro is a file that bro requires to know which .bro script in this 13 | directory to load. 14 | 15 | etpro_intel.bro defines which reputation list categories you would like to use on your sensors. Simply uncomment the 16 | categories that you want to use. Take care with the commas and quotes. Make sure that the last file listed does not have a comma after it. 17 | 18 | #####Modify your local.bro file to include this newly created script at the bottom of the file. 19 | 20 | By default this file exists at /usr/local/bro/share/bro/site/local.bro. 21 | 22 | ```` 23 | [rsh@sensor1 etpro_bro]$ cat /usr/local/bro/share/bro/local.bro 24 | 25 | #ETPRO IP and Domain Reputation Intel 26 | @load /opt/etpro_bro 27 | ```` 28 | 29 | #####Create an hourly Cron job to update the reputation data. 30 | 31 | Make sure to include your Authorization Code provided to you in your ET Intelligence subscription. You don't have to worry about telling Bro about the new files, it will see them when the date of the file changes. 32 | 33 | This will wget the archive of all the files which is ~1.9M compressed. It will then decompress the files to the directory our script expects them to be in. 34 | 35 | ```` 36 | 0 * * * * wget -q https://rules.emergingthreats.net//reputation/brorepdata.tar.gz 37 | && tar -xzf bro-repdata.tar.gz -C /opt/etpro_bro && rm -rf bro-repdata.tar.gz > /dev/null 38 | 2>&1 39 | ```` 40 | 41 | #####Restart Bro 42 | 43 | After Bro knows the intel file exists and loads it, updates of the intel files will be processed 44 | by bro automatically. Execute the following commands: 45 | 46 | ```` 47 | [rsh@sensor1 etpro_bro]$ /usr/local/bro/bin/broctl 48 | [BroControl] > stop 49 | stopping worker-1-1 ... 50 | stopping worker-1-2 ... 51 | stopping worker-1-3 ... 52 | stopping worker-1-4 ... 53 | stopping proxy-1 ... 54 | stopping manager ... 55 | [BroControl] > install 56 | removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ... 57 | removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ... 58 | creating policy directories ... 59 | installing site policies ... 60 | generating cluster-layout.bro ... 61 | generating local-networks.bro ... 62 | generating broctl-config.bro ... 63 | generating broctl-config.sh ... 64 | updating nodes ... 65 | [BroControl] > check 66 | manager scripts are ok. 67 | proxy-1 scripts are ok. 68 | worker-1-1 scripts are ok. 69 | worker-1-2 scripts are ok. 70 | worker-1-3 scripts are ok. 71 | worker-1-4 scripts are ok. 72 | [BroControl] > start 73 | starting manager ... 74 | starting proxy-1 ... 75 | starting worker-1-1 ... 76 | starting worker-1-2 ... 77 | starting worker-1-3 ... 78 | starting worker-1-4 ... 79 | [BroControl] > netstats 80 | worker-1-1: 1444998097.745909 recvd=11 dropped=0 link=11 81 | worker-1-2: 1444998097.945996 recvd=11 dropped=0 link=11 82 | worker-1-3: 1444998098.146930 recvd=11 dropped=0 link=11 83 | worker-1-4: 1444998098.346975 recvd=11 dropped=0 link=11 84 | [BroControl] > exit 85 | ```` 86 | 87 | #####Installation Complete 88 | 89 | You should now see events coming into the intel.log and notice.log once you start getting hits on ET intelligence 90 | data. 91 | 92 | The alert will give you the category and score of that particular indicator. 93 | 94 | ```` 95 | 1443106773.411865 CGEsYb3jQDXusALSYi x.x.x.x 44319 202.108.23.29 80 - - - 202.108.23.29 Intel::ADDR Conn::IN_RESP ETPRO Rep: SpywareCnC Score: 107 96 | ```` 97 | -------------------------------------------------------------------------------- /__load__.bro: -------------------------------------------------------------------------------- 1 | #************************************************************* 2 | # Copyright (c) 2015, Emerging Threats/Proofpoint 3 | # All rights reserved. 4 | # 5 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 6 | # following conditions are met: 7 | # 8 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 9 | # disclaimer. 10 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 11 | # following disclaimer in the documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 13 | # from this software without specific prior written permission. 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 16 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 20 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 21 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | # 23 | #************************************************************* 24 | 25 | #this file exists to load the below referenced bro file 26 | @load ./etpro_intel.bro 27 | -------------------------------------------------------------------------------- /etpro_intel.bro: -------------------------------------------------------------------------------- 1 | #************************************************************* 2 | # Copyright (c) 2015, Emerging Threats/Proofpoint 3 | # All rights reserved. 4 | # 5 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 6 | # following conditions are met: 7 | # 8 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 9 | # disclaimer. 10 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 11 | # following disclaimer in the documentation and/or other materials provided with the distribution. 12 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 13 | # from this software without specific prior written permission. 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 16 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 20 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 21 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | # 23 | #************************************************************* 24 | 25 | #ETPRO IPREP for BRO 26 | 27 | @load base/frameworks/intel 28 | @load frameworks/intel/seen 29 | @load frameworks/intel/do_notice 30 | 31 | redef Intel::read_files += { 32 | 33 | # @DIR + "/etpro-AbusedTLD-domainrepdata.intel", 34 | # @DIR + "/etpro-AbusedTLD-iprepdata.intel", 35 | # @DIR + "/etpro-Bitcoin_Related-domainrepdata.intel", 36 | # @DIR + "/etpro-Bitcoin_Related-iprepdata.intel", 37 | # @DIR + "/etpro-Blackhole-domainrepdata.intel", 38 | # @DIR + "/etpro-Blackhole-iprepdata.intel", 39 | @DIR + "/etpro-Bot-domainrepdata.intel", 40 | @DIR + "/etpro-Bot-iprepdata.intel", 41 | # @DIR + "/etpro-Brute_Forcer-domainrepdata.intel", 42 | # @DIR + "/etpro-Brute_Forcer-iprepdata.intel", 43 | # @DIR + "/etpro-ChatServer-domainrepdata.intel", 44 | # @DIR + "/etpro-ChatServer-iprepdata.intel", 45 | @DIR + "/etpro-CnC-domainrepdata.intel", 46 | @DIR + "/etpro-CnC-iprepdata.intel", 47 | @DIR + "/etpro-Compromised-domainrepdata.intel", 48 | @DIR + "/etpro-Compromised-iprepdata.intel", 49 | # @DIR + "/etpro-DDoSAttacker-domainrepdata.intel", 50 | # @DIR + "/etpro-DDoSAttacker-iprepdata.intel", 51 | # @DIR + "/etpro-DDoSTarget-domainrepdata.intel", 52 | # @DIR + "/etpro-DDoSTarget-iprepdata.intel", 53 | @DIR + "/etpro-DriveBySrc-domainrepdata.intel", 54 | @DIR + "/etpro-DriveBySrc-iprepdata.intel", 55 | # @DIR + "/etpro-Drop-domainrepdata.intel", 56 | # @DIR + "/etpro-Drop-iprepdata.intel", 57 | # @DIR + "/etpro-DynDNS-domainrepdata.intel", 58 | # @DIR + "/etpro-DynDNS-iprepdata.intel", 59 | # @DIR + "/etpro-EXE_Source-domainrepdata.intel", 60 | # @DIR + "/etpro-EXE_Source-iprepdata.intel", 61 | # @DIR + "/etpro-FakeAV-domainrepdata.intel", 62 | # @DIR + "/etpro-FakeAV-iprepdata.intel", 63 | # @DIR + "/etpro-IPCheck-domainrepdata.intel", 64 | # @DIR + "/etpro-IPCheck-iprepdata.intel", 65 | # @DIR + "/etpro-Mobile_CnC-domainrepdata.intel", 66 | # @DIR + "/etpro-Mobile_CnC-iprepdata.intel", 67 | # @DIR + "/etpro-Mobile_Spyware_CnC-domainrepdata.intel", 68 | # @DIR + "/etpro-Mobile_Spyware_CnC-iprepdata.intel", 69 | # @DIR + "/etpro-OnlineGaming-domainrepdata.intel", 70 | # @DIR + "/etpro-OnlineGaming-iprepdata.intel", 71 | # @DIR + "/etpro-P2P-domainrepdata.intel", 72 | # @DIR + "/etpro-P2P-iprepdata.intel", 73 | # @DIR + "/etpro-P2PCnC-domainrepdata.intel", 74 | # @DIR + "/etpro-P2PCnC-iprepdata.intel", 75 | # @DIR + "/etpro-Parking-domainrepdata.intel", 76 | # @DIR + "/etpro-Parking-iprepdata.intel", 77 | # @DIR + "/etpro-Proxy-domainrepdata.intel", 78 | # @DIR + "/etpro-Proxy-iprepdata.intel", 79 | # @DIR + "/etpro-RemoteAccessService-domainrepdata.intel", 80 | # @DIR + "/etpro-RemoteAccessService-iprepdata.intel", 81 | # @DIR + "/etpro-Scanner-domainrepdata.intel", 82 | # @DIR + "/etpro-Scanner-iprepdata.intel", 83 | # @DIR + "/etpro-SelfSignedSSL-domainrepdata.intel", 84 | # @DIR + "/etpro-SelfSignedSSL-iprepdata.intel", 85 | # @DIR + "/etpro-Skype_SuperNode-domainrepdata.intel", 86 | # @DIR + "/etpro-Skype_SuperNode-iprepdata.intel", 87 | # @DIR + "/etpro-Spam-domainrepdata.intel", 88 | # @DIR + "/etpro-Spam-iprepdata.intel", 89 | @DIR + "/etpro-SpywareCnC-domainrepdata.intel", 90 | @DIR + "/etpro-SpywareCnC-iprepdata.intel" 91 | # @DIR + "/etpro-TorNode-domainrepdata.intel", 92 | # @DIR + "/etpro-TorNode-iprepdata.intel", 93 | # @DIR + "/etpro-Undesirable-domainrepdata.intel", 94 | # @DIR + "/etpro-Undesirable-iprepdata.intel", 95 | # @DIR + "/etpro-Utility-domainrepdata.intel", 96 | # @DIR + "/etpro-Utility-iprepdata.intel", 97 | # @DIR + "/etpro-VPN-domainrepdata.intel", 98 | # @DIR + "/etpro-VPN-iprepdata.intel" 99 | 100 | }; 101 | --------------------------------------------------------------------------------