[Bro] A little more confusion with Intel
James Lay
jlay at slave-tothe-box.net
Thu Jan 18 09:42:11 PST 2018
Wait what? So....it looks like www.yahoo.com [1] matches, but yahoo.com
doesn't?
That kinda nukes the whole match any bad host with domain ;) Thank you
can lend a hand Seth? Thanks.
James
On 2018-01-18 10:33, Azoff, Justin S wrote:
>> On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>>
>> ...
>
>> yahoo.com Intel::DOMAIN testdomain
>> ...
>
>> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [1] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>>
>> and no intel.log. What's different here? Would love to know what I'm missing..thank you.
>
> www.yahoo.com [1] is not yahoo.com
>
> You need an intel::seen even that uses
> https://github.com/sethhall/domain-tld to get that to match. I
> thought someone wrote a package that did this, but apparently not.
>
> --
> Justin Azoff
Links:
------
[1] http://www.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/ade75315/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-01-18 10_35_16-fetchtrace.txt - Visual Studio Code.png
Type: image/png
Size: 32839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180118/ade75315/attachment-0001.bin
More information about the Bro
mailing list