Is there a way to use the intel framework to alert on something like this
/templates/nivoslider/loading.php
I don’t care about the domain I just care about the URI. The adversary keeps using DGA domains but the rest stays the same.
I read the intel framework section online and I don’t see anything that appears it would match this type of intel.
Thanks
Tim
This should work:
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/http-url.bro
The Intel frameworks works on a plugin system. You should be able to add some protocol fields by writing a new scripts if what you need isn’t already there.
-AK
You could also use signatures for this.
That is close, but won't work for this. the http-url script uses
$indicator=HTTP::build_url(c$http)
build_url basically does host + uri with some extra smarts for all the edge cases.
To have the intel framework just flag the path, you would need a variation of that script that only sets the indicator to the path:
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
{
if ( is_orig && c?$http && c$http$?uri)
Intel::seen([$indicator=c$http$uri),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_URL]);
}
You may need/want to remove any query string at the end of the path.
I don't think using Intel::URL for something that is not really a URL will cause a problem, but it is slightly confusing 
If you do not want that you can add a new intel type called URL_PATH.
signatures seems to be what I was looking for, thanks for the tip