[Bro] A little more confusion with Intel
Seth Hall
seth at corelight.com
Thu Feb 1 08:10:23 PST 2018
Ahh! I understand your use case better now. We could use the
effective-tld package to create a new "seen" injector for the intel
framework that pokes effective TLDs into the intel framework. I don't
know what the overhead effects of this would be, but it might not be too
bad.
.Seth
On 31 Jan 2018, at 18:21, James Lay wrote:
> Thanks Seth,
>
> I basically modified this for bro use:
>
> https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/
>
> It's basically a list of domain names that have been newly registered.
> Does that help?
>
> James
>
> On 2018-01-29 09:14, Seth Hall wrote:
>> On 22 Jan 2018, at 11:30, James Lay wrote:
>>
>>> It's actually the inverse of what I'm seeing. In my tests if I
>>> have Intel::DOMAIN yahoo.com and I did a
>>> "dig [www.yahoo.com",](<http://www.yahoo.com",>) the domain intel
>>> would not match because the dns request was for "www.yahoo.com", not
>>> yahoo.com. Does that make sense? Thank you.
>>
>> Yeah, if we had a more comprehensive matcher for the intel framework
>> then you'd have a lot of options open for you. I suppose that my
>> main
>> point was that at the moment you will have to just include the exact
>> domain that you want to match on.
>>
>> Do you have a large list where you'd like to watch for any hits on
>> the
>> effective second level domain like you're describing here?
>>
>> .Seth
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list