From 2dbca1ccd93da3b949e90f76a236060d0b04bdae Mon Sep 17 00:00:00 2001
From: jshlbrd <liburdi.joshua@gmail.com>
Date: Tue, 15 Apr 2014 09:07:21 -0400
Subject: [PATCH] Add Intel::ADDR lookup to host field

IP addresses are often seen in the HTTP host field; this change checks if the value in the host field is a valid IP address and processes the Intel::seen event to check for an Intel::ADDR indicator.
---
 .../frameworks/intel/seen/http-headers.bro     | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/frameworks/intel/seen/http-headers.bro b/scripts/policy/frameworks/intel/seen/http-headers.bro
index 2a74548023..b9393c93a6 100644
--- a/scripts/policy/frameworks/intel/seen/http-headers.bro
+++ b/scripts/policy/frameworks/intel/seen/http-headers.bro
@@ -8,12 +8,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
 		{
 		switch ( name ) 
 			{
-			case "HOST": 
-			Intel::seen([$indicator=value,
-			             $indicator_type=Intel::DOMAIN,
-			             $conn=c,
-			             $where=HTTP::IN_HOST_HEADER]);
-			break;
+                        case "HOST":
+                                if (  is_valid_ip(value) )
+                                        Intel::seen([$host=to_addr(value),
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                                else
+                                        Intel::seen([$indicator=value,
+                                                     $indicator_type=Intel::DOMAIN,
+                                                     $conn=c,
+                                                     $where=HTTP::IN_HOST_HEADER]);
+                        break;
+
 
 			case "REFERER":
 			Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),