[Bro] A little more confusion with Intel

Seth Hall seth at corelight.com
Fri Jan 19 06:44:57 PST 2018


Hi James! :)

Right now the Intel framework is only for doing complete strings matches 
for all of the string types (which Intel::DOMAIN is) so you don't get 
the substring matching like you want.  Robin and I talked about this a 
couple of years ago as something that we wanted to address in Bro and 
Robin did a small prototype of a library that would make it possible by 
globbing.  The idea was that you'd be able to have intelligence items 
that looked like this.. "*yahoo.com" or "www.*.yahoo.*".  The initial 
implementation didn't perform acceptably well and we haven't had time to 
get back to that work yet.

Right now if you are interested in looking for "www.yahoo.com" you will 
have to insert that specifically as an intelligence item.  I'm not sure 
that the example you've given is something that people encounter in 
typical operational usage (although if I'm wrong, someone please let me 
know!).

   .Seth

On 18 Jan 2018, at 12:42, James Lay wrote:

> Wait what?  So....it looks like www.yahoo.com [1] matches, but 
> yahoo.com
> doesn't?
>
> That kinda nukes the whole match any bad host with domain ;)  Thank 
> you
> can lend a hand Seth?  Thanks.
>
> James
>
> On 2018-01-18 10:33, Azoff, Justin S wrote:
>
>>> On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> 
>>> wrote:
>>>
>>> ...
>>
>>> yahoo.com Intel::DOMAIN testdomain
>>> ...
>>
>>> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 
>>> 53 udp 3285 0.003246 www.yahoo.com [1] 1 C_INTERNET 1 A 0 NOERROR F 
>>> F TT 0 
>>> atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 
>>> 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>>>
>>> and no intel.log.  What's different here?  Would love to know what 
>>> I'm missing..thank you.
>>
>> www.yahoo.com [1] is not yahoo.com
>>
>> You need an intel::seen even that uses
>> https://github.com/sethhall/domain-tld to get that to match.  I
>> thought someone wrote a package that did this, but apparently not.
>>
>> -- 
>> Justin Azoff
>
>
> Links:
> ------
> [1] http://www.yahoo.com


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180119/7b2d888c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-01-18 10_35_16-fetchtrace.txt - Visual Studio Code.png
Type: image/png
Size: 32839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180119/7b2d888c/attachment-0001.bin 


More information about the Bro mailing list