[Bro] A little more confusion with Intel

Azoff, Justin S jazoff at illinois.edu
Thu Jan 18 13:55:42 PST 2018

> On Jan 18, 2018, at 3:48 PM, Jan Grashöfer <jan.grashoefer at gmail.com> wrote:
>> Yes this would be a nice to have.
> I put together a POC for effective TLDs but haven't tested deploying.
> During the weekend I should be able to polish it a bit. If someone
> already wants to give it a try:
> bro-pkg install https://github.com/J-Gras/intel-seen-more
> Jan

That looks just like what I had in mind.. 

It makes sense that the type would be different, but I could see some people expecting it to just use the normal Intel::DOMAIN so
existing feeds match.

The more I think about this,  there's also the similar calls to seen() for via HTTP::IN_HOST_HEADER, SSL::IN_SERVER_NAME, and X509::IN_CERT

Maybe the intel framework itself needs to have an option to use the effective TLD when looking up Intel::DOMAINs inside of seen()

Justin Azoff

More information about the Bro mailing list