Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add Intel::ADDR lookup to host field

Browse source 
IP addresses are often seen in the HTTP host field; this change checks if the value in the host field is a valid IP address and processes the Intel::seen event to check for an Intel::ADDR indicator.
This commit is contained in:
jshlbrd 2014-04-15 09:07:21 -04:00
parent 9b672f9e7f
commit 2dbca1ccd9
1 changed files with 12 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/policy/frameworks/intel/seen/http-headers.bro
View file

@ -8,12 +8,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
{ {
switch ( name ) switch ( name )
{ {
case "HOST": case "HOST":
Intel::seen([$indicator=value, if ( is_valid_ip(value) )
$indicator_type=Intel::DOMAIN, Intel::seen([$host=to_addr(value),
$conn=c, $conn=c,
$where=HTTP::IN_HOST_HEADER]); $where=HTTP::IN_HOST_HEADER]);
break; else
Intel::seen([$indicator=value,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
break;
case "REFERER": case "REFERER":
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""), Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),