In OTX, URLs are listed including the protocol scheme (http:// ftp:// etc). The Intel::URL indicator type (seen.indicator_type) in bro-otx fails to trigger if the scheme exists.

Example: if otx.dat has an Intel::URL entry "http://example.com/path.txt" Bro will not react. However, if the otx.dat entry is simply "example.com/path.txt", Bro triggers as expected.

Is it possible for bro-otx to strip the protocol scheme from Intel::URL types?

Yeah, there's an open pull request for this. I think that I can make this happen. In general this package needs some love. I'm going to try to get it updated into a bro package, so keep an eye out and I'll fix this too.

This should be resolved with 531cdcd, please let me know if you find any more issues.