[Bro] A little more confusion with Intel
Seth Hall
seth at corelight.com
Thu Feb 1 10:09:26 PST 2018
On 1 Feb 2018, at 11:50, Jan Grashöfer wrote:
> On 01/02/18 17:10, Seth Hall wrote:
>> We could use the
>> effective-tld package to create a new "seen" injector for the intel
>> framework that pokes effective TLDs into the intel framework. I
>> don't
>> know what the overhead effects of this would be, but it might not be
>> too
>> bad.
>
> Friendly reminder: https://github.com/J-Gras/intel-seen-more ;)
Hahaha! Sorry, I forgot about that already!
I had a thought about it too, what do you think about changing
Intel::EFFECTIVE_DOMAIN to Intel::EFFECTIVE_TLD? Seems like it makes
sense since the TLD is what you end up matching with this and it fits
James' use case correctly.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list