由于注冊(cè)criticalstack后無(wú)法在collections中添加feeds，導(dǎo)致無(wú)法使用其開源的威脅情報(bào)庫(kù)，咨詢其網(wǎng)站也沒有相關(guān)回應(yīng)，因此采用Alienvault-OTX開源情報(bào)數(shù)據(jù)。

1、注冊(cè)獲取API key

進(jìn)入https://otx.alienvault.com，并進(jìn)行注冊(cè)，獲取相關(guān)的API Key

2、正常安裝bro

在bro官網(wǎng)下載bro，測(cè)試時(shí)使用2.5.5，在ubuntu16下測(cè)試成功:

(1)下載組件

apt-get install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel

(2)安裝bro

下載bro源代碼包到本地

https://www.bro.org/sphinx/install/install.html#id2

版本：bro-2.5.5.tar.gz

解壓包

tar -vzxf bro-2.5.5.tar.gz

編譯安裝

cd?bro-2.5.5

./configure

make & make install

(3)修改網(wǎng)口號(hào)：(ifconfig查看本地網(wǎng)卡卡號(hào))

vi ?/usr/local/bro/etc/node.cfg

interface=eth0改為interface=ens33

日志存入：/usr/local/bro/logs/current

bro腳本文件在：/usr/local/bro/share/bro/policy

3、使用腳本安裝OTX相關(guān)腳本和數(shù)據(jù)

（1）使用wget https://raw.githubusercontent.com/weslambert/securityonion-otx/master/securityonion-otx下載onion的相關(guān)OTX的運(yùn)行腳本。由于本文在普通bro中測(cè)試，需要進(jìn)行修改，修改腳本如下：

#!/bin/bash

# If this is changed, you MUST manually update local.bro to the desired path

OTX_PATH="/usr/local/bro/share/bro/policy/bro-otx"

# Download connector

echo

echo "Downloading Bro/OTX Connector ..."

echo

if [ ! -d $OTX_PATH ]; then

git clone https://github.com/hosom/bro-otx $OTX_PATH

else

echo "Bro-OTX directory already exists!"

fi

cd $OTX_PATH

if [ -d scripts ]; then

cp -av scripts/* .

rm -rf scripts

fi

# Get APIKEY

echo

echo "Please provide an Alienvault OTX API key! [ENTER]:"

echo "(Input field is hidden)"

echo

read -s APIKEY

# Configure connector

echo "Configuring Bro OTX Connector..."

echo

if [ -f $OTX_PATH/bro-otx.conf ]; then

sed -i "s|api_key.*|api_key = $APIKEY|" $OTX_PATH/bro-otx.conf

sed -i "s|outfile.*|outfile = $OTX_PATH/otx.dat|" $OTX_PATH/bro-otx.conf

fi

if [ -f $OTX_PATH/bro-otx.py ];then

sed -i "s|default='bro-otx.conf'|default='$OTX_PATH/bro-otx.conf'|" $OTX_PATH/bro-otx.py

fi

# Add to local.bro

if [[ ! `grep bro-otx /usr/local/bro/share/bro/site/local.bro` ]]; then

? ? ? ? cp /usr/local/bro/share/bro/site/local.bro /usr/local/bro/share/bro/site/local.bro.bak

? ? ? ? cat << EOF >> /usr/local/bro/share/bro/site/local.bro

# Load Bro OTX Pulses

@load bro-otx

EOF

else

? ? ? ? echo "@load bro-otx already exists in local.bro!"

fi

# Run Pulse retrieval script for first time

echo "Pulling OTX Pulses..."

echo

if [ -f $OTX_PATH/bro-otx.py ]; then

/usr/bin/python $OTX_PATH/bro-otx.py

fi

# Restart Bro

echo "Restarting Bro..."

echo

/usr/local/bro/bin/broctl check

/usr/local/bro/bin/broctl install

/usr/local/bro/bin/broctl restart

echo "Done!"

echo

# Check if script(s) loaded

if [[ `grep otx /usr/local/bro/logs/current/loaded_scripts.log` ]]; then

echo "Script(s) loaded!"

echo

else

echo "There seems to be an issue with your configuration.? Check /usr/local/bro/logs/current/reporter.log for clues."

echo

fi

中間提示輸入OTX的api，復(fù)制粘貼即可

運(yùn)行腳本前，需要：

apt-get install git

apt-get install pip-python

pip install requests

(2)運(yùn)行sudo bash securityonion-otx

4、測(cè)試

sudo gedit /usr/local/bro/share/bro/policy/bro-otx/otx.dat

添加一些內(nèi)容：

www.baidu.com Intel::DOMAIN Test1-baidu-Intel https://baidu.com T

www.google.com Intel::DOMAIN Test1-Google-Intel https://google.com T

baidu.com Intel::DOMAIN Test1-baidu-Intel https://baidu.com T

google.com Intel::DOMAIN Test1-Google-Intel https://google.com T

測(cè)試完畢后請(qǐng)刪除。

如果成功，會(huì)在/usr/local/bro/logs/current/intel.log中出現(xiàn)下列類似的內(nèi)容：

1543810814.561031 C54ogUaVovQHmrqlj 192.168.2xx.131 42862 223.252.199.7 443 163.com Intel::DOMAIN X509::IN_CERT

bro Intel::DOMAIN 163.test Fogk7hNCBjfSr8Bg3 application/pkix-cert 223.252.199.7:443/tcp