Snort mailing list archives
RE: When did this change?
From: "Jeff Dell" <jdell () activeworx com>
Date: Tue, 29 Jun 2004 21:08:55 -0400
I was just trying to help Paul figure out why all of these extra tables were installed.. I have actually never used the product. It looks interesting though. I would tend to agree with your suggestion, however I personally don't feel that it is always the case. For me personally I monitor honeynets with my software hence the name Honeynet Security Console. And I don't want to perform a dns lookup on every event or packet that comes into my honeynet. Most of the time there is a single ip that triggers multiple events, and sometimes thousands of events.. If I linked the dns name to the event and not to the ip, I would have to continuously perform a nslookup and this is something that I don't want to do. My case is probably different then most, but there are times when you want to link the name to the ip and not to the event. I would agree though.. On a DHCP network... This would not be the best way to store dns cache. Cheers, Jeff -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Tuesday, June 29, 2004 7:46 PM To: Jeff Dell Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] When did this change? On Sun, 2004-06-27 at 14:27, Jeff Dell wrote:
It hasn't changed.. Those additional tables were installed by Aanval Intrusion Detection Console. You must have installed it between May04 and now.
Who developed Aanval? You Jeff? If so, here is a suggestion. I would not keep host names in a separate table for caching purposes. Relations between host names and IP addresses change over time (especially in internal networks). I would suggest saving the resolved host names in the iphdr table right next to the IP address. That way you have a matching IP-hostname pair as it was resolved at time of capture or name resolution. Even if the host name or IP address change down the road (i.e. new DHCP lease), you have the alert linked to the correct host name and IP as it was at the time of attack. Fetching a host name out of a separate table index on IP creates false host name representations and can severely distort reports and mislead humans. (If the hostname table is just for sensors, then of course ignore this email :) Regards, Frank ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Announcement PigMail v. 1.01 Adam Ely (Jun 10)
- When did this change? Paul Schmehl (Jun 27)
- RE: When did this change? Jeff Dell (Jun 27)
- RE: When did this change? Paul Schmehl (Jun 27)
- RE: When did this change? Frank Knobbe (Jun 29)
- RE: When did this change? Jeff Dell (Jun 29)
- RE: When did this change? Jeff Dell (Jun 27)
- When did this change? Paul Schmehl (Jun 27)