You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Greetings!
We are seeing an issue wherein a domain present in the intel DB is triggering a match when that domain string is seen within another domain.
For the intel entry:
higan.org Intel::DOMAIN https://cybercrime-tracker.net/all.php - T - -
We are seeing matches for visits to the domain michigan.org. Below is a sample log line. This log is coming from bro http log using the builtin JSON output. However we also saw this when parsing HTTPRY, passivedns, and palo-alto logs that were normalized using liblognorm.
Worth noting is that bro itself does not generate intel events using the same intel database for these flows.
{"ts":"2017-08-01T19:52:49.026563Z","uid":"CB5cWx2kQDWGmObIMd","src-ip":"172.16.65.113","src-port":54824,"dst-ip":"52.84.64.23","dst-port":80,"trans_depth":1,"method":"GET","http_uri":"/","referrer":"http://www.michigan.org/events/range","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FbyHn121E04ye8uq4i"],"resp_mime_types":["text/html"],"http_hostname":"health.foresee.com","client_header_names":["CONTENT-TYPE","ACCEPT","REFERER","ACCEPT-LANGUAGE","ACCEPT-ENCODING","USER-AGENT","HOST","CONNECTION"],"uri_vars":["/"]}
{"ts":"2017-07-19T20:53:56.041331Z","uid":"CXr2tP1KajAaZJpHYf","src-ip":"172.16.247.147","src-port":59514,"dst-ip":"104.17.66.74","dst-port":80,"trans_depth":1,"method":"GET","host":"www.michigan.org","http_uri":"/city/three-rivers","referrer":"https://www.google.com/","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FqleXx37PZQeYDOsR8"],"resp_mime_types":["text/html"],"client_header_names":["HOST","CONNECTION","UPGRADE-INSECURE-REQUESTS","USER-AGENT","ACCEPT","REFERER","ACCEPT-ENCODING","ACCEPT-LANGUAGE"],"uri_vars":["/city/three-rivers"]}
The text was updated successfully, but these errors were encountered:
Greetings!
We are seeing an issue wherein a domain present in the intel DB is triggering a match when that domain string is seen within another domain.
For the intel entry:
higan.org Intel::DOMAIN https://cybercrime-tracker.net/all.php - T - -
We are seeing matches for visits to the domain michigan.org. Below is a sample log line. This log is coming from bro http log using the builtin JSON output. However we also saw this when parsing HTTPRY, passivedns, and palo-alto logs that were normalized using liblognorm.
Worth noting is that bro itself does not generate intel events using the same intel database for these flows.
{"ts":"2017-08-01T19:52:49.026563Z","uid":"CB5cWx2kQDWGmObIMd","src-ip":"172.16.65.113","src-port":54824,"dst-ip":"52.84.64.23","dst-port":80,"trans_depth":1,"method":"GET","http_uri":"/","referrer":"http://www.michigan.org/events/range","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FbyHn121E04ye8uq4i"],"resp_mime_types":["text/html"],"http_hostname":"health.foresee.com","client_header_names":["CONTENT-TYPE","ACCEPT","REFERER","ACCEPT-LANGUAGE","ACCEPT-ENCODING","USER-AGENT","HOST","CONNECTION"],"uri_vars":["/"]}
{"ts":"2017-07-19T20:53:56.041331Z","uid":"CXr2tP1KajAaZJpHYf","src-ip":"172.16.247.147","src-port":59514,"dst-ip":"104.17.66.74","dst-port":80,"trans_depth":1,"method":"GET","host":"www.michigan.org","http_uri":"/city/three-rivers","referrer":"https://www.google.com/","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FqleXx37PZQeYDOsR8"],"resp_mime_types":["text/html"],"client_header_names":["HOST","CONNECTION","UPGRADE-INSECURE-REQUESTS","USER-AGENT","ACCEPT","REFERER","ACCEPT-ENCODING","ACCEPT-LANGUAGE"],"uri_vars":["/city/three-rivers"]}
The text was updated successfully, but these errors were encountered: