I have a scenario where for TOR related IPs its important I understand WHERE they went
As an example I want to know if a TOR IP accessed
I care if it accessed http://mycompany.com/webmail/mail/0,12323123,123123
I don’t care if it accessed http://mycompany.com/login
I know TOR nodes will always try and access our services to poke around etc but I really care if someone logs into an account successfully
There is two ways I thought of doing this
1: Enrich the intel.log with http URL information (pump into SIEM for further analysis)
2: Write a custom bro script to do additional analysis.
Anyone tackled a similar challenge and can share?