[Bro] Intel Framework Extensions
anthony kasza
anthony.kasza at gmail.com
Sat Sep 14 12:51:17 PDT 2013
In an attempt to customize the intel framework I've run into a few issues
and am looking for advice on how to proceed. I have two questions.
Given the Intel::Type enum is not redefinable, what is the best way to add
new types of indicators to the intel framework? I've managed to add
DOMAIN_TLDs to the framework, but only by editing
base/frameworks/intel/main.
A rather specific case I've been considering is the best way to identify a
set of unordered URL parameters. A chain of requires-signature might be a
solution, but it seems inelegant. Although one may not necessarily care
which domain, path, or file an HTTP request contains, it may become
interesting given the presence of specific parameters. Example requests
follow:
hxxp://domain1.tld/path1/file1.asp?foo=1&bar=2
hxxp://domain2.tld/path2/file2.asp?foo=3&bar=4
hxxp://domain3.tld/path3/file3.asp?bar=6&foo=5
It would be nice to be able to include a set of strings in an intel.dat
file. Does anyone have any ideas on how to extend the intel framework to
support complex indicators? Patterns could be useful, too.
-AK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130914/030b9826/attachment.html
More information about the Bro
mailing list