[Bro] vector array of string used as a pattern for matching

Seth Hall seth at icir.org
Fri Feb 28 07:37:07 PST 2014

On Feb 27, 2014, at 3:28 PM, Jim Mellander <jmellander at LBL.GOV> wrote:

> the domain matching is done by successively splitting the domain into smaller parts & check for set membership

This has a lot of overhead in Bro at the moment due to the amount of string manipulation.  I have an example module of a faster way to do this that doesn't involve any string manipulation.


It includes Mozilla's list of "effective TLDs".  Things like co.uk are counted as TLDs.

> @load domain-tld
> DomainTLD::effective_tld("www.google.co.uk");
  => co.uk
> DomainTLD::effective_tld("www.google.com");
  => com
> DomainTLD::effective_domain("whatever.www.blah.google.co.uk");
  => google.co.uk
> DomainTLD::effective_domain("whatever.www.blah.google.com");
  => google.com


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140228/8bba98ac/attachment.bin 

More information about the Bro mailing list