[Bro] [bro] intel framework
Hosom, Stephen M
hosom at battelle.org
Mon Jul 18 05:00:24 PDT 2016
You could also use signatures for this.
https://www.bro.org/sphinx/frameworks/signatures.html
________________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of anthony kasza [anthony.kasza at gmail.com]
Sent: Sunday, July 17, 2016 8:42 PM
To: Tim Desrochers
Cc: bro at bro.org
Subject: Re: [Bro] [bro] intel framework
This should work:
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/http-url.bro
The Intel frameworks works on a plugin system. You should be able to add some protocol fields by writing a new scripts if what you need isn't already there.
-AK
On Jul 17, 2016 7:19 PM, "Tim Desrochers" <tgdesrochers at gmail.com<mailto:tgdesrochers at gmail.com>> wrote:
Is there a way to use the intel framework to alert on something like this
/templates/nivoslider/loading.php
I don't care about the domain I just care about the URI. The adversary keeps using DGA domains but the rest stays the same.
I read the intel framework section online and I don't see anything that appears it would match this type of intel.
Thanks
Tim
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list