[Bro] Intel Framework Extensions
anthony kasza
anthony.kasza at gmail.com
Mon Sep 16 07:26:24 PDT 2013
Got it. Thanks for the info, Seth!
On Sep 15, 2013 6:45 PM, "Seth Hall" <seth at icir.org> wrote:
> On Sep 14, 2013, at 3:51 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
> > Given the Intel::Type enum is not redefinable, what is the best way to
> add new types of indicators to the intel framework? I've managed to add
> DOMAIN_TLDs to the framework, but only by editing
> base/frameworks/intel/main.
>
> Enums are implicitly redef-able. Have you tried it?
>
> > It would be nice to be able to include a set of strings in an intel.dat
> file. Does anyone have any ideas on how to extend the intel framework to
> support complex indicators?
>
> That's not possible through extensions yet. It's very possible that we'll
> add more capability for matching extensions later, but for now the intel
> framework is very minimal and simple.
>
> Keep in mind that I'm not saying you couldn't write a Bro script that does
> this, just that the intel framework is probably not what you're looking for
> right now.
>
> > Patterns could be useful, too.
>
>
> We've discussed this for a long time and it's something that we will
> approach in the future, but it likely won't be for full Bro patterns
> (regular expressions).
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130916/3cb863d5/attachment.html
More information about the Bro
mailing list