After updating scripts run:
Check all traffic going to port 22 on 195.194.187.209/28 using: c$id$resp_p == 22/tcp
if(c$id$resp_p == 161/udp) c$id$resp_p, c$irc$nick, c$irc$user, c$irc$command, c$irc$value
Match check for malware or known threat IPs using comparison: malware_list value in c$dns$answers
List of IPs with names defined in const malware_list_location = @DIR + "/malware_updated.dat"
Switched on in site/local.bro
From: https://bl0gg.ruberg.no/2016/03/threat-intelligence-otx-bro-silk-bind-rpz-ossec/
OTX can be used with Bro as well, and there are at least two Bro scripts for updating the feeds from the OTX API. The one that works for me is https://github.com/hosom/bro-otx. The script will make Bro register activity that matches indicators from an OTX pulse.
Sample log entries, modified for readability:
Back to Bro Guide