[Bro] vector array of string used as a pattern for matching
Seth Hall
seth at icir.org
Fri Feb 28 07:37:07 PST 2014
On Feb 27, 2014, at 3:28 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
> the domain matching is done by successively splitting the domain into smaller parts & check for set membership
This has a lot of overhead in Bro at the moment due to the amount of string manipulation. I have an example module of a faster way to do this that doesn't involve any string manipulation.
https://github.com/sethhall/bro-junk-drawer/tree/master/domain-tld
It includes Mozilla's list of "effective TLDs". Things like co.uk are counted as TLDs.
> @load domain-tld
> DomainTLD::effective_tld("www.google.co.uk");
=> co.uk
> DomainTLD::effective_tld("www.google.com");
=> com
> DomainTLD::effective_domain("whatever.www.blah.google.co.uk");
=> google.co.uk
> DomainTLD::effective_domain("whatever.www.blah.google.com");
=> google.com
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140228/8bba98ac/attachment.bin
More information about the Bro
mailing list