Is there a way to use the intel framework to alert on something like this
I don’t care about the domain I just care about the URI. The adversary keeps using DGA domains but the rest stays the same.
I read the intel framework section online and I don’t see anything that appears it would match this type of intel.
This should work:
The Intel frameworks works on a plugin system. You should be able to add some protocol fields by writing a new scripts if what you need isn’t already there.
That is close, but won't work for this. the http-url script uses
build_url basically does host + uri with some extra smarts for all the edge cases.
To have the intel framework just flag the path, you would need a variation of that script that only sets the indicator to the path:
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
if ( is_orig && c?$http && c$http$?uri)
You may need/want to remove any query string at the end of the path.
I don't think using Intel::URL for something that is not really a URL will cause a problem, but it is slightly confusing If you do not want that you can add a new intel type called URL_PATH.
signatures seems to be what I was looking for, thanks for the tip