cif output format for Bro missing meta.do_notice column?

[NoX1De]

I believe that the Bro output format might be missing a key data column: meta.do_notice which allows the ability to fire Bro Notices for Intel::Match hits...(or I might be missing something here on how to make that work). I will say that I discussed this with Justin Azoff (avid Bro Dev etc.) and it seems in order to have Bro fire Notices for Intel::Match the meta.do_notice column is required in the CIF Intel files when they are spit out in Bro format otherwise they will never be sent to the Bro Notice framework. I'm loading the appropriate Bro Intel/CIF scripts (See below) and still have no ability to fire Notices on Bro Intel framework hits. Does this make sense? Should this be fixed by modifying CIF to add the meta.do_notice column to the Bro output format? Or maybe another sub-option for Bro output to include that column? The code below is from my local.bro script and still with all this configured I am not able to get any Intel Notices regardless of the Intel hits I am seeing pile up in my Bro intel.log.

cif --token REDACTED --otype ipv4 --feed --confidence 85 --format bro --tags phishing,botnet,exploit,feodo,gozi,hijacked,malware,rdata,scanner,search,zeus > /home/cif-intel/bro/cif_ipv4.intel

Load Bro Intel framework scripts

@load frameworks/intel/do_notice @load frameworks/intel/seen

Enable CIF plug-in for Bro log fields for CIF compatibility

@load policy/integration/collective-intel

Read in Threat Intelligence data files for precessing by the Bro Intel Framework

redef Intel::read_files += { "/opt/bro/feeds/cif_ipv4.intel", };

Email all Intel::Notice matches

redef Notice::emailed_types += { Intel::Notice, };

cif_ipv4.intel currently CIF generated file headers/fields:

#fields indicator indicator_type meta.desc meta.cif_confidence meta.source

Add meta.do_notice? I think it makes more sense to do this in the CIF Bro output format rather than messing with Bro scripts I believe all this field does is populate every row with a single 'T' ....see this doc for more information but it doesn't seem to make sense to me why the meta.do_notice would not be included in the CIF Bro formatted output.

https://www.bro.org/bro-exchange-2013/exercises/intel.html

Thank you!

[wesyoung]

i don't have a bro instance handy, but if you wanna fork/patch and submit a quick PR for:

https://github.com/csirtgadgets/cif-sdk-py/blob/master/cifsdk/format/bro.py

as long as you and @justinazoff think it makes sense, i have no reservations..

(make sure it passes the test too)

[wesyoung]

(we're opportunist mergers here, so as long as it passes the tests, additional PR's can always improve it ;))

anywho; send the PR here:

https://github.com/csirtgadgets/cif-sdk-py/pulls

and we'll get it right in.

[coonsmatthew]

Wes, We're actually calling the "cif" command directly on our CIF server, not from another server with the CIF SDK installed. Since this is the case, I'm guessing that we need to modify the Perl version of this file?

Do you know where the configuration file is installed by default as part of the CIF server setup?

Thank You.

[wesyoung]

ya, PR against: https://github.com/csirtgadgets/p5-cif-sdk/blob/master/lib/CIF/SDK/Format/Bro.pm

then.

should be /home/cif/.cif.yml or /home/$user/.cif.yml

[coonsmatthew]

Thanks! I found the location of the PM file on our server, it's here: /usr/local/share/perl/5.18.2/CIF/SDK/Format/Bro.pm

We will work on updating the file and send over the PR soon!