search

jonschipp / mal-dnssearch

Compare multiple log formats against malware reputation lists.
88 stars 28 forks source link

Debian Wheezy, problem with awk? #6

Closed jeffhammett closed 10 years ago

jeffhammett commented 10 years ago

I'm running Bro on a fully patched Debian Wheezy system, and am trying to use mal-dnssearch and mal-dns2bro.

I am able to download the raw files ok, but mal-dns2bro is not working. The output file I specify is blank. I think it is a problem with awk, but I am not sure exactly what is wrong or how to fix it. By default my system was using mawk, but I have tried gawk and original-awk as well, none work, although they all produce slightly different errors.

Any help would be much appreciated.

mawk: 

jeff@bro:/opt/bro/feeds$ mal-dnssearch -M mayhemic -p | mal-dns2bro -T dns -s mayhemic -n true > mayhemic.intel

[*] Waiting for input.. (Did you pipe stdin or specify a file?)

awk: line 1: syntax error at or near end of line

PID: 28957

[*] Downloading http://secure.mayhemiclabs.com/malhosts/malhosts.txt...

--2014-11-02 20:12:14--  http://secure.mayhemiclabs.com/malhosts/malhosts.txt
Resolving secure.mayhemiclabs.com (secure.mayhemiclabs.com)... 198.147.20.153
Connecting to secure.mayhemiclabs.com (secure.mayhemiclabs.com)|198.147.20.153|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 102202 (100K) [text/plain]
Saving to: `malhosts.txt'

100%[==============================================================================================================================>] 102,202      421K/s   in 0.2s    

2014-11-02 20:12:14 (421 KB/s) - `malhosts.txt' saved [102202/102202]

[*] Stdout below for piping to a file or program

jeff@bro:/opt/bro/feeds$ tail malhosts.txt 
zjjlf.croukwexdbyerr.net
zkic.com
zneoq0gpzu.com
zol.com.cn
zous.szm.sk
zpti3tyb7h.com
zsj18.com
zu-yuan.com
zuowangzhanla.com
zwierzu.zxy.me
jeff@bro:/opt/bro/feeds$ cat mayhemic.intel 
jeff@bro:/opt/bro/feeds$

gawk:

jeff@bro:~$ mal-dnssearch -M mayhemic -p | mal-dns2bro -T dns -s -n true -s mayhemic > mayhemic.intel

[*] Waiting for input.. (Did you pipe stdin or specify a file?)

awk: cmd. line:2: wlist=-
awk: cmd. line:2:        ^ unexpected newline or end of string

PID: 31151

[*] Downloading http://secure.mayhemiclabs.com/malhosts/malhosts.txt...

--2014-11-02 20:34:10--  http://secure.mayhemiclabs.com/malhosts/malhosts.txt
Resolving secure.mayhemiclabs.com (secure.mayhemiclabs.com)... 198.147.20.153
Connecting to secure.mayhemiclabs.com (secure.mayhemiclabs.com)|198.147.20.153|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 102202 (100K) [text/plain]
Saving to: `malhosts.txt'

100%[==============================================================================================================================>] 102,202      350K/s   in 0.3s    

2014-11-02 20:34:11 (350 KB/s) - `malhosts.txt' saved [102202/102202]

[*] Stdout below for piping to a file or program

jeff@bro:~$ tail malhosts.txt 
zjjlf.croukwexdbyerr.net
zkic.com
zneoq0gpzu.com
zol.com.cn
zous.szm.sk
zpti3tyb7h.com
zsj18.com
zu-yuan.com
zuowangzhanla.com
zwierzu.zxy.me
jeff@bro:~$ cat mayhemic.intel 
jeff@bro:~$

original-awk:

jeff@bro:~$ mal-dnssearch -M mayhemic -p | mal-dns2bro -T dns -s -n true -s mayhemic > mayhemic.intel

[*] Waiting for input.. (Did you pipe stdin or specify a file?)

awk: syntax error at source line 1
 context is
     >>>  <<< 
awk: bailing out at source line 1

PID: 31309

[*] Downloading http://secure.mayhemiclabs.com/malhosts/malhosts.txt...

--2014-11-02 20:36:14--  http://secure.mayhemiclabs.com/malhosts/malhosts.txt
Resolving secure.mayhemiclabs.com (secure.mayhemiclabs.com)... 198.147.20.153
Connecting to secure.mayhemiclabs.com (secure.mayhemiclabs.com)|198.147.20.153|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 102202 (100K) [text/plain]
Saving to: `malhosts.txt'

100%[==============================================================================================================================>] 102,202      505K/s   in 0.2s    

2014-11-02 20:36:14 (505 KB/s) - `malhosts.txt' saved [102202/102202]

[*] Stdout below for piping to a file or program

jeff@bro:~$ tail malhosts.txt 
zjjlf.croukwexdbyerr.net
zkic.com
zneoq0gpzu.com
zol.com.cn
zous.szm.sk
zpti3tyb7h.com
zsj18.com
zu-yuan.com
zuowangzhanla.com
zwierzu.zxy.me
jeff@bro:~$ cat mayhemic.intel 
jeff@bro:~$
jonschipp commented 10 years ago

@jeffhammett Thanks for the report! I introduced a typo in a previous commit and didn't catch it. This is now fixed in https://github.com/jonschipp/mal-dnssearch/commit/b819f1cbd2f69235bd07bd1b2870b1b05af26d0f, please git pull and make install. Thanks!