[Bro] A little more confusion with Intel
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 18 09:33:37 PST 2018
> On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> yahoo.com Intel::DOMAIN testdomain
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199 1320.000000,39.000000,39.000000,39.000000,39.000000 F
> and no intel.log. What's different here? Would love to know what I'm missing..thank you.
www.yahoo.com is not yahoo.com
You need an intel::seen even that uses https://github.com/sethhall/domain-tld to get that to match. I thought someone wrote a package that did this, but apparently not.
More information about the Bro