[Bro] Intel Framework Extensions

anthony kasza anthony.kasza at gmail.com
Mon Sep 16 07:26:24 PDT 2013

Got it. Thanks for the info, Seth!
On Sep 15, 2013 6:45 PM, "Seth Hall" <seth at icir.org> wrote:

> On Sep 14, 2013, at 3:51 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
> > Given the Intel::Type enum is not redefinable, what is the best way to
> add new types of indicators to the intel framework? I've managed to add
> DOMAIN_TLDs to the framework, but only by editing
> base/frameworks/intel/main.
> Enums are implicitly redef-able.  Have you tried it?
> > It would be nice to be able to include a set of strings in an intel.dat
> file. Does anyone have any ideas on how to extend the intel framework to
> support complex indicators?
> That's not possible through extensions yet.  It's very possible that we'll
> add more capability for matching extensions later, but for now the intel
> framework is very minimal and simple.
> Keep in mind that I'm not saying you couldn't write a Bro script that does
> this, just that the intel framework is probably not what you're looking for
> right now.
> > Patterns could be useful, too.
> We've discussed this for a long time and it's something that we will
> approach in the future, but it likely won't be for full Bro patterns
> (regular expressions).
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130916/3cb863d5/attachment.html 

More information about the Bro mailing list