[Bro] A little more confusion with Intel
Seth Hall
seth at corelight.com
Fri Jan 19 06:44:57 PST 2018
Hi James! :)
Right now the Intel framework is only for doing complete strings matches
for all of the string types (which Intel::DOMAIN is) so you don't get
the substring matching like you want. Robin and I talked about this a
couple of years ago as something that we wanted to address in Bro and
Robin did a small prototype of a library that would make it possible by
globbing. The idea was that you'd be able to have intelligence items
that looked like this.. "*yahoo.com" or "www.*.yahoo.*". The initial
implementation didn't perform acceptably well and we haven't had time to
get back to that work yet.
Right now if you are interested in looking for "www.yahoo.com" you will
have to insert that specifically as an intelligence item. I'm not sure
that the example you've given is something that people encounter in
typical operational usage (although if I'm wrong, someone please let me
know!).
.Seth
On 18 Jan 2018, at 12:42, James Lay wrote:
> Wait what? So....it looks like www.yahoo.com [1] matches, but
> yahoo.com
> doesn't?
>
> That kinda nukes the whole match any bad host with domain ;) Thank
> you
> can lend a hand Seth? Thanks.
>
> James
>
> On 2018-01-18 10:33, Azoff, Justin S wrote:
>
>>> On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>> ...
>>
>>> yahoo.com Intel::DOMAIN testdomain
>>> ...
>>
>>> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1
>>> 53 udp 3285 0.003246 www.yahoo.com [1] 1 C_INTERNET 1 A 0 NOERROR F
>>> F TT 0
>>> atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43
>>> 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>>>
>>> and no intel.log. What's different here? Would love to know what
>>> I'm missing..thank you.
>>
>> www.yahoo.com [1] is not yahoo.com
>>
>> You need an intel::seen even that uses
>> https://github.com/sethhall/domain-tld to get that to match. I
>> thought someone wrote a package that did this, but apparently not.
>>
>> --
>> Justin Azoff
>
>
> Links:
> ------
> [1] http://www.yahoo.com
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180119/7b2d888c/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-01-18 10_35_16-fetchtrace.txt - Visual Studio Code.png
Type: image/png
Size: 32839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180119/7b2d888c/attachment-0001.bin
More information about the Bro
mailing list