Intel Framework Extensions

anthony_kasza1 · September 14, 2013, 7:51pm

In an attempt to customize the intel framework I’ve run into a few issues and am looking for advice on how to proceed. I have two questions.

Given the Intel::Type enum is not redefinable, what is the best way to add new types of indicators to the intel framework? I’ve managed to add DOMAIN_TLDs to the framework, but only by editing base/frameworks/intel/main.

A rather specific case I’ve been considering is the best way to identify a set of unordered URL parameters. A chain of requires-signature might be a solution, but it seems inelegant. Although one may not necessarily care which domain, path, or file an HTTP request contains, it may become interesting given the presence of specific parameters. Example requests follow:

hxxp://domain1.tld/path1/file1.asp?foo=1&bar=2
hxxp://domain2.tld/path2/file2.asp?foo=3&bar=4
hxxp://domain3.tld/path3/file3.asp?bar=6&foo=5

It would be nice to be able to include a set of strings in an intel.dat file. Does anyone have any ideas on how to extend the intel framework to support complex indicators? Patterns could be useful, too.

-AK

Seth_Hall3 · September 16, 2013, 1:45am

Given the Intel::Type enum is not redefinable, what is the best way to add new types of indicators to the intel framework? I've managed to add DOMAIN_TLDs to the framework, but only by editing base/frameworks/intel/main.

Enums are implicitly redef-able. Have you tried it?

It would be nice to be able to include a set of strings in an intel.dat file. Does anyone have any ideas on how to extend the intel framework to support complex indicators?

That's not possible through extensions yet. It's very possible that we'll add more capability for matching extensions later, but for now the intel framework is very minimal and simple.

Keep in mind that I'm not saying you couldn't write a Bro script that does this, just that the intel framework is probably not what you're looking for right now.

Patterns could be useful, too.

We've discussed this for a long time and it's something that we will approach in the future, but it likely won't be for full Bro patterns (regular expressions).

.Seth

anthony_kasza1 · September 16, 2013, 2:26pm

Got it. Thanks for the info, Seth!

Topic		Replies	Views
Bif tuning / overhaul Development development	4	66	May 6, 2022
Policy script enums (and event engine interaction) Development development	6	50	May 6, 2022
updating intelligence data without restarting Zeek Development development	2	102	May 6, 2022
enum namespacing Development development	6	69	May 6, 2022
Request for Handholding - BIF Extending Zeek	2	48	May 6, 2022

Intel Framework Extensions

Related Topics