[Bro] Intel Framework Extensions

Seth Hall seth at icir.org
Sun Sep 15 18:45:38 PDT 2013


On Sep 14, 2013, at 3:51 PM, anthony kasza <anthony.kasza at gmail.com> wrote:

> Given the Intel::Type enum is not redefinable, what is the best way to add new types of indicators to the intel framework? I've managed to add DOMAIN_TLDs to the framework, but only by editing base/frameworks/intel/main. 

Enums are implicitly redef-able.  Have you tried it?

> It would be nice to be able to include a set of strings in an intel.dat file. Does anyone have any ideas on how to extend the intel framework to support complex indicators?

That's not possible through extensions yet.  It's very possible that we'll add more capability for matching extensions later, but for now the intel framework is very minimal and simple.

Keep in mind that I'm not saying you couldn't write a Bro script that does this, just that the intel framework is probably not what you're looking for right now.

> Patterns could be useful, too.


We've discussed this for a long time and it's something that we will approach in the future, but it likely won't be for full Bro patterns (regular expressions).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130915/509e6daa/attachment.bin 


More information about the Bro mailing list