intelligence framework can work with data feeds to process and correlate events and identify anomalies. it requires a feed to match and create alerts from the network traffic. there are a couple of criticial points to keep in mind when performing this process
the source file has to be tab-delimited.
you can manually update the source and adding extra lines doesn't require any re-deployment.
However, if you delete a line from the file, you will need to re-deploy the Zeek instance.
#this demonstrates a single user-generated threat intel file and let Zeek use it as the primary intelligence source.
#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
cluster dpd intel notice signatures
control files netcontrol packet-filter software
#
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/intel
do_expire.zeek do_notice.zeek removal.zeek seen whitelist.zeek
#create user-defined script
root@dco:~$ nano zeek_intel.txt
#fields indicator indicator_type meta.source meta.desc
smart-fax.com Intel::DOMAIN zeek-intel-test Zeek-Intelligence-Framework-Test
* this intel could have come from the pcap investigation or other intelligence sources
- when this domain name appears in the network traffic, Zeek will create the "intel.log" file and provide the available details.
root@dco:~$ nano zeekIntelligenceDemo.zeek
# Load intelligence framework!
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice
redef Intel::read_files += { "/opt/zeek/intel/zeek_intel.txt" };
#usage
root@dco:~$ zeek -C -r case1.pcap zeekIntelligenceDemo.zeek
root@dco:~$ cat intel.log | zeek-cut uid id.orig_h id.resp_h seen.indicator matched
CZ1jLe2nHENdGQX377 10.6.27.102 10.6.27.1 smart-fax.com Intel::DOMAIN
C044Ot1OxBt8qCk7f2 10.6.27.102 107.180.50.162 smart-fax.com Intel::DOMAIN
