[Bro] Intel Framework Extensions
seth at icir.org
Sun Sep 15 18:45:38 PDT 2013
On Sep 14, 2013, at 3:51 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> Given the Intel::Type enum is not redefinable, what is the best way to add new types of indicators to the intel framework? I've managed to add DOMAIN_TLDs to the framework, but only by editing base/frameworks/intel/main.
Enums are implicitly redef-able. Have you tried it?
> It would be nice to be able to include a set of strings in an intel.dat file. Does anyone have any ideas on how to extend the intel framework to support complex indicators?
That's not possible through extensions yet. It's very possible that we'll add more capability for matching extensions later, but for now the intel framework is very minimal and simple.
Keep in mind that I'm not saying you couldn't write a Bro script that does this, just that the intel framework is probably not what you're looking for right now.
> Patterns could be useful, too.
We've discussed this for a long time and it's something that we will approach in the future, but it likely won't be for full Bro patterns (regular expressions).
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130915/509e6daa/attachment.bin
More information about the Bro