Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bro IDS + Critical stack not showing up in alerts. #34

Open
TheBlindHacker opened this issue Feb 8, 2018 · 3 comments
Open

Bro IDS + Critical stack not showing up in alerts. #34

TheBlindHacker opened this issue Feb 8, 2018 · 3 comments

Comments

@TheBlindHacker
Copy link

Default install on Ubuntu 16.04.3 Working great for baseliner but I am not getting any bro alerts or any alerts from critical stack when i am sending triggers to the know test sites.

Any suggestions?
@TravisFSmith
Copy link
Owner

First step would be to verify that Bro is actually logging the files to the intel.log or notice.log files.

@TheBlindHacker
Copy link
Author

looks like it intel.log

Both logs are below, none of the notices are logging.

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-8-Cyber-Crime-Tracker.bro.dat
Checksum: 6d4698c56e9934b1cb2b61045eff77c5

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-7-Known-Tor-Exit-Nodes.bro.dat
Checksum: d006bb56888d575f1e0f33b983fb636f

critical-stack 11:08:36 [DEBUG] Downloading file:

Filename: critical-stack-intel-2-bambenekconsulting.com-C-C-IPs.bro.dat
Checksum: 328f39db0af433b7dcf9f73a487f5f61

critical-stack 11:08:36 [INFO] Creating master file: master-public.bro.dat. Please wait.
critical-stack 11:08:53 [INFO] Master file created successfully.
critical-stack 11:08:53 [INFO] Intel files located at: /opt/critical-stack/frameworks/intel
critical-stack 11:08:53 [INFO] API Requests Remaining: 959 of 1000/minute

from notice

  • CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 38.988% - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
    1518116594.128321 COTLvE2zGCsqtQX4U5 10.10.1.172 53902 173.67.41.226 8834 - - - tcp SSL::Invalid_Server_Cert SSL certificate validation failed with (unable to get local issuer certificate) CN=ACTIVE-SOAP,ST=NY,C=US,L=New York,OU=Nessus Server,O=Nessus Users United 10.10.1.172 173.67.41.226 8834 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
    1518117477.191508 - - - - - - - -- CaptureLoss::Too_Much_Loss The capture loss script detected an estimated loss rate above 19.627% - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -

@cloudstrifeedge
Copy link

critical-stack-intel's server is down(2018-08-10). actually the .dat file will not be downloaded.
I posted here:

#48

under "NOTICE"

use oxt Alien Vault instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheBlindHacker @TravisFSmith @cloudstrifeedge