[Bro] Intel Framework Extensions
anthony.kasza at gmail.com
Mon Sep 16 07:26:24 PDT 2013
Got it. Thanks for the info, Seth!
On Sep 15, 2013 6:45 PM, "Seth Hall" <seth at icir.org> wrote:
> On Sep 14, 2013, at 3:51 PM, anthony kasza <anthony.kasza at gmail.com>
> > Given the Intel::Type enum is not redefinable, what is the best way to
> add new types of indicators to the intel framework? I've managed to add
> DOMAIN_TLDs to the framework, but only by editing
> Enums are implicitly redef-able. Have you tried it?
> > It would be nice to be able to include a set of strings in an intel.dat
> file. Does anyone have any ideas on how to extend the intel framework to
> support complex indicators?
> That's not possible through extensions yet. It's very possible that we'll
> add more capability for matching extensions later, but for now the intel
> framework is very minimal and simple.
> Keep in mind that I'm not saying you couldn't write a Bro script that does
> this, just that the intel framework is probably not what you're looking for
> right now.
> > Patterns could be useful, too.
> We've discussed this for a long time and it's something that we will
> approach in the future, but it likely won't be for full Bro patterns
> (regular expressions).
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro