[Bro] Adding HTTP URL to Threat Intel

Ben McDowall Ben.McDowall at spark.co.nz
Thu Jan 26 11:01:11 PST 2017 

I have a scenario where for TOR related IPs its important I understand WHERE they went

As an example I want to know if a TOR IP accessed
                I care if it accessed http://mycompany.com/webmail/mail/0,12323123,123123
                I don't care if it accessed  http://mycompany.com/login

I know TOR nodes will always try and access our services to poke around etc but I really care if someone logs into an account successfully

There is two ways I thought of doing this
                1: Enrich the intel.log with http URL information (pump into SIEM for further analysis)
                2: Write a custom bro script to do additional analysis.

Anyone tackled a similar challenge and can share?

Cheers

Kind Regards
________________________________
[spark]



Ben McDowall
Technical Lead
Spark Security Incident Response Team (S-SIRT)
Spark Platforms
T

027 469 5887 (extn 96239)

E

Ben.McDowall at spark.co.nz

Level 8, Mayoral Drive Building
31 Airedale Street
Private Bag 92028, Auckland 1010
www.spark.co.nz<http://www.spark.co.nz/>
[Spark @ Twitter]<https://twitter.com/sparknz>

[Spark @ Facebook]<https://facebook.com/spark4nz>

[Spark @ YouTube]<https://youtube.com/user/sparknewzealand>


________________________________

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 20987 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0005.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 167 bytes
Desc: image002.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0006.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 656 bytes
Desc: image003.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0007.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 499 bytes
Desc: image004.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0008.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 794 bytes
Desc: image005.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170126/e8ee1509/attachment-0009.bin

More information about the Bro mailing list