RE: When did this change?

["Jeff Dell" <jdell () activeworx com>]

I was just trying to help Paul figure out why all of these extra tables were
installed.. I have actually never used the product. It looks interesting
though. 

I would tend to agree with your suggestion, however I personally don't feel
that it is always the case.  For me personally I monitor honeynets with my
software hence the name Honeynet Security Console. And I don't want to
perform a dns lookup on every event or packet that comes into my honeynet.
Most of the time there is a single ip that triggers multiple events, and
sometimes thousands of events.. If I linked the dns name to the event and
not to the ip, I would have to continuously perform a nslookup and this is
something that I don't want to do. My case is probably different then most,
but there are times when you want to link the name to the ip and not to the
event. 

I would agree though.. On a DHCP network... This would not be the best way
to store dns cache.

Cheers,

Jeff 

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us] 
Sent: Tuesday, June 29, 2004 7:46 PM
To: Jeff Dell
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] When did this change?

On Sun, 2004-06-27 at 14:27, Jeff Dell wrote:
> It hasn't changed.. Those additional tables were installed by Aanval
> Intrusion Detection Console. You must have installed it between May04 and
> now.

Who developed Aanval? You Jeff?

If so, here is a suggestion. I would not keep host names in a separate
table for caching purposes. Relations between host names and IP
addresses change over time (especially in internal networks). I would
suggest saving the resolved host names in the iphdr table right next to
the IP address. That way you have a matching IP-hostname pair as it was
resolved at time of capture or name resolution. Even if the host name or
IP address change down the road (i.e. new DHCP lease), you have the
alert linked to the correct host name and IP as it was at the time of
attack. Fetching a host name out of a separate table index on IP creates
false host name representations and can severely distort reports and
mislead humans.

(If the hostname table is just for sensors, then of course ignore this
email :)


Regards,
Frank





-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users