[Bro] A little more confusion with Intel
Seth Hall
seth at corelight.com
Mon Jan 29 08:14:33 PST 2018
On 22 Jan 2018, at 11:30, James Lay wrote:
> It's actually the inverse of what I'm seeing. In my tests if I have
> Intel::DOMAIN yahoo.com and I did a
> "dig [www.yahoo.com",](<http://www.yahoo.com",>) the domain intel
> would not match because the dns request was for "www.yahoo.com", not
> yahoo.com. Does that make sense? Thank you.
Yeah, if we had a more comprehensive matcher for the intel framework
then you'd have a lot of options open for you. I suppose that my main
point was that at the moment you will have to just include the exact
domain that you want to match on.
Do you have a large list where you'd like to watch for any hits on the
effective second level domain like you're describing here?
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list