sagan icon indicating copy to clipboard operation
sagan copied to clipboard

Published 20 hours ago verified publisher icon beave

Partial string matching with brointel

Open CyberTaoFlow opened this issue 7 years ago • 0 comments

Greetings! We are seeing an issue wherein a domain present in the intel DB is triggering a match when that domain string is seen within another domain. For the intel entry: higan.org Intel::DOMAIN https://cybercrime-tracker.net/all.php - T - -

We are seeing matches for visits to the domain michigan.org. Below is a sample log line. This log is coming from bro http log using the builtin JSON output. However we also saw this when parsing HTTPRY, passivedns, and palo-alto logs that were normalized using liblognorm.

Worth noting is that bro itself does not generate intel events using the same intel database for these flows.

{"ts":"2017-08-01T19:52:49.026563Z","uid":"CB5cWx2kQDWGmObIMd","src-ip":"172.16.65.113","src-port":54824,"dst-ip":"52.84.64.23","dst-port":80,"trans_depth":1,"method":"GET","http_uri":"/","referrer":"http://www.michigan.org/events/range","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FbyHn121E04ye8uq4i"],"resp_mime_types":["text/html"],"http_hostname":"health.foresee.com","client_header_names":["CONTENT-TYPE","ACCEPT","REFERER","ACCEPT-LANGUAGE","ACCEPT-ENCODING","USER-AGENT","HOST","CONNECTION"],"uri_vars":["/"]}

{"ts":"2017-07-19T20:53:56.041331Z","uid":"CXr2tP1KajAaZJpHYf","src-ip":"172.16.247.147","src-port":59514,"dst-ip":"104.17.66.74","dst-port":80,"trans_depth":1,"method":"GET","host":"www.michigan.org","http_uri":"/city/three-rivers","referrer":"https://www.google.com/","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","request_body_len":0,"response_body_len":624,"status_code":307,"status_msg":"Temporary Redirect","tags":[],"resp_fuids":["FqleXx37PZQeYDOsR8"],"resp_mime_types":["text/html"],"client_header_names":["HOST","CONNECTION","UPGRADE-INSECURE-REQUESTS","USER-AGENT","ACCEPT","REFERER","ACCEPT-ENCODING","ACCEPT-LANGUAGE"],"uri_vars":["/city/three-rivers"]}

CyberTaoFlow avatar Aug 30 '17 17:08 CyberTaoFlow