[Bro] A little more confusion with Intel
Seth Hall
seth at corelight.com
Thu Feb 1 19:52:57 PST 2018
On 1 Feb 2018, at 14:34, Jan Grashöfer wrote:
> But actually, we want to match against "yahoo.co.uk". Maybe one could
> call that the 'effective SLD/2LD'. So in case of changing, I would
> tend to use Intel::EFFECTIVE_SLD. However, to me this seems a bit
> counter intuitive.
Hah! You're exactly right and apparently I didn't think deeply enough
when I was writing my email too. I think EFFECTIVE_DOMAIN is better and
it matches the function being called in the domain-tld package. It's
been quite a while since I looked at that.
Thanks,
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list