Skip to content

Configure Bro and Alienvault OTX Agent

Jump to bottom
Robbie Corley edited this page Jun 28, 2018 · 5 revisions

It is assumed the user has a basic understanding of how Bro and Suricata function, so I will not be going into much detail concerning the inner workings of both products. I will gladly offer up some helpful config tips on getting Bro and the Alienvault agent up and running successfully and monitoring your network traffic

Ok, so first, please be sure to browse to the URL below and sign up for a free account so you can use Alienvault's pulse/feeds with Bro:
https://otx.alienvault.com
Next, Login to your account at https://otx.alienvault.com and subscribe to a feed of your choice. I usually just go with the Alienvault authored pulse/feed.
Now, copy your API key. You will need this at the end of the bro installation

ok, here's how it works:

So the intel.log corresponds to your alienvault feed, and not suricata's/bro's ruleset. if you do testmyids.com, that will produce an alert via suricata's fast.log and one of the bro logs, but it does nothing for the intel feed. that requires you to go to a known site from your Alienvault feed. so for instance, If I go to any of the sites listed in my pulse Alienvault pulse I should get an intel.log file. let's check

pi@raspberrypi:/opt/nsm/bro/logs/current $ ls

capture_loss.log conn.log dns.log files.log http.log intel.log known_hosts.log notice.log sip.log snmp.log software.log ssh.log ssl.log stats.log stderr.log stdout.log weird.log x509.log

pi@raspberrypi:/opt/nsm/bro/logs/current $ tail intel.log

a1c66be04 Author: AlienVault - - - 1530202522.064357 Ca4GuUxbpTjyHcfvb 192.168.1.37 55314 192.168.1.1 53 www.deutcshewelle.com Intel::DOMAIN DNS::IN_REQUEST bro Intel::DOMAIN AlienVault OTXv2 - Charming Kitten Watering Holes ID: 5b2b89d

and there it is hope that helps!

Clone this wiki locally