From 068c49a3d3576382c904c4524f0bf8eb0ebac7f5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 22 Sep 2016 16:52:59 -0700
Subject: [PATCH] Normalize http host in seen script.

This changes the behavior to be just like in the base scripts.

Addresses BIT-1695
---
 scripts/policy/frameworks/intel/seen/http-headers.bro | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index 864b685126..382bae439e 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -6,16 +6,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 	{
 	if ( is_orig )
 		{
-		switch ( name ) 
+		switch ( name )
 			{
 			case "HOST":
-			if ( is_valid_ip(value) )
-				Intel::seen([$host=to_addr(value),
+			# The split is done to remove the occasional port value that shows up here (see also base script)
+			local host = split_string1(value, /:/)[0];
+			if ( is_valid_ip(host) )
+				Intel::seen([$host=to_addr(host),
 					     $indicator_type=Intel::ADDR,
 					     $conn=c,
 					     $where=HTTP::IN_HOST_HEADER]);
 			else
-				Intel::seen([$indicator=value,
+				Intel::seen([$indicator=host,
 					     $indicator_type=Intel::DOMAIN,
 					     $conn=c,
 					     $where=HTTP::IN_HOST_HEADER]);