[Bro] A little more confusion with Intel
James Lay
jlay at slave-tothe-box.net
Wed Jan 31 15:21:58 PST 2018
Thanks Seth,
I basically modified this for bro use:
https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/
It's basically a list of domain names that have been newly registered.
Does that help?
James
On 2018-01-29 09:14, Seth Hall wrote:
> On 22 Jan 2018, at 11:30, James Lay wrote:
>
>> It's actually the inverse of what I'm seeing. In my tests if I have
>> Intel::DOMAIN yahoo.com and I did a
>> "dig [www.yahoo.com",](<http://www.yahoo.com",>) the domain intel
>> would not match because the dns request was for "www.yahoo.com", not
>> yahoo.com. Does that make sense? Thank you.
>
> Yeah, if we had a more comprehensive matcher for the intel framework
> then you'd have a lot of options open for you. I suppose that my main
> point was that at the moment you will have to just include the exact
> domain that you want to match on.
>
> Do you have a large list where you'd like to watch for any hits on the
> effective second level domain like you're describing here?
>
> .Seth
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list