From 07045ec254dffec4f02ef684c30180ae388445f0 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 21 Dec 2021 08:49:46 +0100
Subject: [PATCH] Fix host header normalization in intel framework.

The way we were splitting off ports from host names could fail for IPv6
addresses.

Closes #1844.
---
 scripts/policy/frameworks/intel/seen/http-headers.zeek | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.zeek b/scripts/policy/frameworks/intel/seen/http-headers.zeek
index 382bae439e..066d10c0fc 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.zeek
+++ b/scripts/policy/frameworks/intel/seen/http-headers.zeek
@@ -9,8 +9,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		switch ( name )
 			{
 			case "HOST":
-			# The split is done to remove the occasional port value that shows up here (see also base script)
-			local host = split_string1(value, /:/)[0];
+			# Remove the occasional port value that shows up here.
+			local host = gsub(value, /:[[:digit:]]+$/, "");
 			if ( is_valid_ip(host) )
 				Intel::seen([$host=to_addr(host),
 					     $indicator_type=Intel::ADDR,