klehigh/gist:6903342

## gistfile1.txt
--- Bro.pm.old  2013-10-09 14:53:40.205618890 +0000
+++ Bro.pm      2013-10-09 13:19:57.575611679 +0000
@@ -16,7 +16,7 @@

     my @config_search_path = ('claoverride',  $feed->{'query'}, 'client' );

-    $result = "#fields\thost\tnet\tstr\tstr_type\tmeta.source\tmeta.desc\tmeta.url\tmeta.cif_impact\tmeta.cif_severity\tmeta.cif_confidence\n";
+    $result = "#fields\tindicator\tindicator_type\tmeta.source\tmeta.desc\tmeta.url\tmeta.cif_impact\tmeta.cif_severity\tmeta.cif_confidence\n";

     foreach my $a (@array){
         my $ip = 0;
@@ -39,15 +39,18 @@
             elsif($a->{'address'} =~ m/$RE{net}{CIDR}{IPv4}/){$net = $a->{'address'};}
             elsif($a->{'address'} =~ m/$RE{net}{IPv4}/){$ip = $a->{'address'};}

-            # host    net    str   str_type
+            # indicator    indicator_type    str   str_type

-            if($domain){ $result .= "-\t-\t".$domain."\tIntel::DOMAIN\t"; }
-            if($url){    $result .= "-\t-\t".$url."\tIntel::URL\t"; }
-            if($ip){     $result .= $ip."\t-\t-\t-\t"; }
-            if($net){    $result .= "-\t".$net."\t-\t-\t"; }
+            if($domain){ $result .= $domain."\tIntel::DOMAIN\t"; }
+            if($url){    $result .= $url."\tIntel::URL\t"; }
+            if($ip){     $result .= $ip."\tIntel::ADDR\t"; }
+                       # TODO: Intel Framework does not support net address type.  Yet.
+            #if($net){    $result .= $net."\t-\t"; }
         }

-        if($ip or $net or $domain or $url) {
+               # TODO : Intel Framework does not support net address type.  Yet.
+        #if($ip or $net or $domain or $url) {
+        if($ip or $domain or $url) {
             $result .= "CIF - ";
             if(exists($a->{'restriction'}) and $a->{'restriction'}) { $result .= $a->{'restriction'}."\t"; }
             else { $result .= "Unknown\t"; }
@@ -74,4 +77,3 @@
     return $result;
 }
 1;
-
	--- Bro.pm.old 2013-10-09 14:53:40.205618890 +0000
	+++ Bro.pm 2013-10-09 13:19:57.575611679 +0000
	@@ -16,7 +16,7 @@

	my @config_search_path = ('claoverride', $feed->{'query'}, 'client' );

	- $result = "#fields\thost\tnet\tstr\tstr_type\tmeta.source\tmeta.desc\tmeta.url\tmeta.cif_impact\tmeta.cif_severity\tmeta.cif_confidence\n";
	+ $result = "#fields\tindicator\tindicator_type\tmeta.source\tmeta.desc\tmeta.url\tmeta.cif_impact\tmeta.cif_severity\tmeta.cif_confidence\n";

	foreach my $a (@array){
	my $ip = 0;
	@@ -39,15 +39,18 @@
	elsif($a->{'address'} =~ m/$RE{net}{CIDR}{IPv4}/){$net = $a->{'address'};}
	elsif($a->{'address'} =~ m/$RE{net}{IPv4}/){$ip = $a->{'address'};}

	- # host net str str_type
	+ # indicator indicator_type str str_type

	- if($domain){ $result .= "-\t-\t".$domain."\tIntel::DOMAIN\t"; }
	- if($url){ $result .= "-\t-\t".$url."\tIntel::URL\t"; }
	- if($ip){ $result .= $ip."\t-\t-\t-\t"; }
	- if($net){ $result .= "-\t".$net."\t-\t-\t"; }
	+ if($domain){ $result .= $domain."\tIntel::DOMAIN\t"; }
	+ if($url){ $result .= $url."\tIntel::URL\t"; }
	+ if($ip){ $result .= $ip."\tIntel::ADDR\t"; }
	+ # TODO: Intel Framework does not support net address type. Yet.
	+ #if($net){ $result .= $net."\t-\t"; }
	}

	- if($ip or $net or $domain or $url) {
	+ # TODO : Intel Framework does not support net address type. Yet.
	+ #if($ip or $net or $domain or $url) {
	+ if($ip or $domain or $url) {
	$result .= "CIF - ";
	if(exists($a->{'restriction'}) and $a->{'restriction'}) { $result .= $a->{'restriction'}."\t"; }
	else { $result .= "Unknown\t"; }
	@@ -74,4 +77,3 @@
	return $result;
	}
	1;
	-