[Bro] A little more confusion with Intel
Jan Grashöfer
jan.grashoefer at gmail.com
Fri Jan 19 07:26:02 PST 2018
On 18/01/18 22:55, Azoff, Justin S wrote:
> It makes sense that the type would be different, but I could see some people expecting it to just use the normal Intel::DOMAIN so
> existing feeds match.
While that's certainly true, a couple of people might already rely on
Intel::DOMAIN matching the complete domain.
> The more I think about this, there's also the similar calls to seen() for via HTTP::IN_HOST_HEADER, SSL::IN_SERVER_NAME, and X509::IN_CERT
Yep, I will just add corresponding scripts to the package.
> Maybe the intel framework itself needs to have an option to use the effective TLD when looking up Intel::DOMAINs inside of seen()
In that case the framework should report both: The effective and the
complete domain. However, using a separate type would be more flexible
as users could decide case by case or even add both.
Given that the effective_domain function is already available as a
package, I would vote for an additional package. In theory even the
intel framework itself could be made a package.
Jan
More information about the Bro
mailing list