[Bro] A little more confusion with Intel

Jan Grashöfer jan.grashoefer at gmail.com
Fri Jan 19 07:26:02 PST 2018

On 18/01/18 22:55, Azoff, Justin S wrote:
> It makes sense that the type would be different, but I could see some people expecting it to just use the normal Intel::DOMAIN so
> existing feeds match.

While that's certainly true, a couple of people might already rely on 
Intel::DOMAIN matching the complete domain.

> The more I think about this,  there's also the similar calls to seen() for via HTTP::IN_HOST_HEADER, SSL::IN_SERVER_NAME, and X509::IN_CERT

Yep, I will just add corresponding scripts to the package.

> Maybe the intel framework itself needs to have an option to use the effective TLD when looking up Intel::DOMAINs inside of seen()

In that case the framework should report both: The effective and the 
complete domain. However, using a separate type would be more flexible 
as users could decide case by case or even add both.

Given that the effective_domain function is already available as a 
package, I would vote for an additional package. In theory even the 
intel framework itself could be made a package.


More information about the Bro mailing list