[Bro] A little more confusion with Intel
James Lay
jlay at slave-tothe-box.net
Mon Jan 22 08:30:54 PST 2018
Hi Seth,
It's actually the inverse of what I'm seeing. In my tests if I have
Intel::DOMAIN yahoo.com and I did a "dig www.yahoo.com", [2] the domain
intel would not match because the dns request was for "www.yahoo.com",
not yahoo.com. Does that make sense? Thank you.
James
On 2018-01-19 07:44, Seth Hall wrote:
> Hi James! :)
>
> Right now the Intel framework is only for doing complete strings matches for all of the string types (which Intel::DOMAIN is) so you don't get the substring matching like you want. Robin and I talked about this a couple of years ago as something that we wanted to address in Bro and Robin did a small prototype of a library that would make it possible by globbing. The idea was that you'd be able to have intelligence items that looked like this.. "*yahoo.com" or "www.*.yahoo.*". The initial implementation didn't perform acceptably well and we haven't had time to get back to that work yet.
>
> Right now if you are interested in looking for "www.yahoo.com" you will have to insert that specifically as an intelligence item. I'm not sure that the example you've given is something that people encounter in typical operational usage (although if I'm wrong, someone please let me know!).
>
> .Seth
>
> On 18 Jan 2018, at 12:42, James Lay wrote:
>
> Wait what? So....it looks like www.yahoo.com [1] matches, but yahoo.com doesn't?
>
> That kinda nukes the whole match any bad host with domain ;) Thank you can lend a hand Seth? Thanks.
>
> James
>
> On 2018-01-18 10:33, Azoff, Justin S wrote: On Jan 18, 2018, at 11:42 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> ...
> yahoo.com Intel::DOMAIN testdomain
> ...
> 1516289219.143906 CFXRMB4RJIFYSdw72a 192.168.1.2 62196 192.168.1.1 53 udp 3285 0.003246 www.yahoo.com [1] 1 C_INTERNET 1 A 0 NOERROR F F TT 0 atsv2-fp.wg1.b.yahoo.com,98.138.252.38,98.138.252.39,98.139.180.180,206.190.39.43 1320.000000,39.000000,39.000000,39.000000,39.000000 F
>
> and no intel.log. What's different here? Would love to know what I'm missing..thank you.
> www.yahoo.com [1] is not yahoo.com
>
> You need an intel::seen even that uses
> https://github.com/sethhall/domain-tld to get that to match. I
> thought someone wrote a package that did this, but apparently not.
>
> --
> Justin Azoff
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
Links:
------
[1] http://www.yahoo.com
[2] http://www.yahoo.com",
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180122/bf88d0cd/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2018-01-18 10_35_16-fetchtrace.txt - Visual Studio Code.png
Type: image/png
Size: 32839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180122/bf88d0cd/attachment-0001.bin
More information about the Bro
mailing list