[Bro] [bro] intel framework
tgdesrochers at gmail.com
Mon Jul 18 06:25:14 PDT 2016
signatures seems to be what I was looking for, thanks for the tip
On Mon, Jul 18, 2016 at 8:00 AM, Hosom, Stephen M <hosom at battelle.org>
> You could also use signatures for this.
> From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of anthony
> kasza [anthony.kasza at gmail.com]
> Sent: Sunday, July 17, 2016 8:42 PM
> To: Tim Desrochers
> Cc: bro at bro.org
> Subject: Re: [Bro] [bro] intel framework
> This should work:
> The Intel frameworks works on a plugin system. You should be able to add
> some protocol fields by writing a new scripts if what you need isn't
> already there.
> On Jul 17, 2016 7:19 PM, "Tim Desrochers" <tgdesrochers at gmail.com<mailto:
> tgdesrochers at gmail.com>> wrote:
> Is there a way to use the intel framework to alert on something like this
> I don't care about the domain I just care about the URI. The adversary
> keeps using DGA domains but the rest stays the same.
> I read the intel framework section online and I don't see anything that
> appears it would match this type of intel.
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro