intel framework

Is there a way to use the intel framework to alert on something like this


I don’t care about the domain I just care about the URI. The adversary keeps using DGA domains but the rest stays the same.

I read the intel framework section online and I don’t see anything that appears it would match this type of intel.


This should work:

The Intel frameworks works on a plugin system. You should be able to add some protocol fields by writing a new scripts if what you need isn’t already there.


You could also use signatures for this.

That is close, but won't work for this. the http-url script uses


build_url basically does host + uri with some extra smarts for all the edge cases.

To have the intel framework just flag the path, you would need a variation of that script that only sets the indicator to the path:

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
  if ( is_orig && c?$http && c$http$?uri)

You may need/want to remove any query string at the end of the path.

I don't think using Intel::URL for something that is not really a URL will cause a problem, but it is slightly confusing :slight_smile: If you do not want that you can add a new intel type called URL_PATH.

signatures seems to be what I was looking for, thanks for the tip