[Bro] A little more confusion with Intel
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 18 09:33:37 PST 2018
> On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> ...
> yahoo.com Intel::DOMAIN testdomain
> ...
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>
> and no intel.log. What's different here? Would love to know what I'm missing..thank you.
>
www.yahoo.com is not yahoo.com
You need an intel::seen even that uses https://github.com/sethhall/domain-tld to get that to match. I thought someone wrote a package that did this, but apparently not.
—
Justin Azoff
More information about the Bro
mailing list