Instantly share code, notes, and snippets.

if echo "$1" | grep -q ".log.gz$"; then
$CAT $1 | bro-cut -dc $2 | sed -e 's/^#fields\t/#fields:/; s/^#types\t/#types:/' | column -t -s $'\t' | less -S

The Intelligence Framework Update

Recently Bro's intelligence framework was refactored and extended with a couple of new features. This post will discuss the updates and tries to clear some of the backgrounds that turned out to be common pitfalls in the past.

The Intelligence Framework Data Model

Understanding the intel framework's data model is the key for exploiting its full potential, so let's have a closer look: The core of an intelligence datum is the indicator (also indicator of compromise, IoC), e.g. an IP, hash or domain name (for a list of available types see Bro's script reference). The indicator can be enriched by meta data of different kinds, e.g. a description, url or severity level. The same indicator can be obtained from different intelligence sources, providing different meta data. Thus in Bro's intelligence framework, a plain indicator can be described by multiple meta data records. A meta data

View first_pkt_src.bro
# Adds first packet's source IP to conn.log.
redef record connection += {
first_pkt_src: addr &optional;
redef record Conn::Info += {
## Source address of the first packet.
first_pkt_src: addr &optional &log;
View expire_test.bro
@load base/frameworks/communication
redef exit_only_after_terminate = T;
redef table_expire_interval = 1sec;
global start_time: time;
function time_past(): interval
View add-json.bro
##! Additional JSON-logging for Bro.
module Log;
export {
## Enables JSON-logfiles for all active streams
const enable_all_json = T &redef;
## Streams not to generate JSON-logfiles for
const exclude_json: set[Log::ID] = { } &redef;
## Streams to generate JSON-logfiles for
View do_notice.bro
# Extends the original script to add an identifier to the notices.
# Jan Grashoefer (
# Original script is shipped with Bro.
@load base/frameworks/intel
@load base/frameworks/notice
module Intel;
export {
View AF_Packet-TODOs.txt
- Fix initialization of stats.
- Investiagte why the preferred way of setting the device into PROMISC causes checksum issues
- Investigate performance impact of other block sizes.
- Investigate the use of hugepages and sanity checks for page size.