wesyoung
commented
8 years ago my guess is we'll have to add those types here:
https://github.com/csirtgadgets/cif-sdk-py/blob/master/cifsdk/format/bro.py#L9
which maps to the correct bro output?
Closed villain closed 7 years ago
wesyoung
commented
8 years ago my guess is we'll have to add those types here:
https://github.com/csirtgadgets/cif-sdk-py/blob/master/cifsdk/format/bro.py#L9
which maps to the correct bro output?
not sure if this is a user error or not. when i run the following command, to export data into a bro format file:
cif --tags vendor --days 20 -f bro --feed --otype md5
i end up with:
cb0c100470335e8f0bd4e09042baa5fb md5 vendor|malware 85 vendor1 cc81033bb2dcfc413f53ccb2da3f3f51 md5 vendor|malware 85 vendor1
but the supported types of intel indicators for bro are:
Intel::ADDR Intel::URL Intel::SOFTWARE Intel::EMAIL Intel::DOMAIN Intel::USER_NAME Intel::FILE_HASH Intel::FILE_NAME Intel::CERT_HASH
i believe the md5 needs to be Intel::FILE_HASH
--otype sha1 is also affected