[Bro] A little more confusion with Intel

James Lay jlay at slave-tothe-box.net
Thu Jan 18 09:46:22 PST 2018

Ya we discovered that worked thanks Fatema...but that defeats the point
of "domain" in the intel file :( 


On 2018-01-18 10:42, fatema bannatwala wrote:

> I see the dns request is for "www.yahoo.com [1]", however the entry in your intel-1.dat is for "yahoo.com [2]" 
> Not sure if Bro intel framework works with the sub-domains lookup as well for intel. 
> Try adding "www.yahoo.com [1]" in your  intel-1.dat , and see if intel.log triggers.


[1] http://www.yahoo.com
[2] http://yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/cbcb657b/attachment.html 

More information about the Bro mailing list