[Bro] A little more confusion with Intel
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 18 13:55:42 PST 2018
> On Jan 18, 2018, at 3:48 PM, Jan Grashöfer <jan.grashoefer at gmail.com> wrote:
>> Yes this would be a nice to have.
> I put together a POC for effective TLDs but haven't tested deploying.
> During the weekend I should be able to polish it a bit. If someone
> already wants to give it a try:
> bro-pkg install https://github.com/J-Gras/intel-seen-more
That looks just like what I had in mind..
It makes sense that the type would be different, but I could see some people expecting it to just use the normal Intel::DOMAIN so
existing feeds match.
The more I think about this, there's also the similar calls to seen() for via HTTP::IN_HOST_HEADER, SSL::IN_SERVER_NAME, and X509::IN_CERT
Maybe the intel framework itself needs to have an option to use the effective TLD when looking up Intel::DOMAINs inside of seen()
More information about the Bro