A note about logging hostname vs. IP address

[Ryan Russell <ryan () securityfocus com>]

Obviously, this is coming up in reference to Code Red logs, but it applies
in general.

Some of the logs we're getting, I believe mostly web logs, log the
hostname, and not the IP address.  As I'm going through and correlating
the logs, this creates a problem.  Now, I'm not writing to complain, but
rather warn.

If you're logging only reverse DNS names, and not also the IP addresses,
then you are throwing away information.  As most people know, one can pick
an arbitrary reverse name for in-addr.arpa netblocks under one's control.
So, if you query an IP address for the name, and get back
www.whitehouse.gov, and only store that, then you now have no idea what IP
address attacked you.

This comes up especially when you are trying to report incidents.  For
example, 9 out of 10 of the hostnames I just tried to turn back into an IP
didn't work, no host by that name.  If I were to try and mail that to the
(apparant) domain contact, they wouldn't be able to do anything about it.

Again, just trying to point out to people that they should be careful
about what they log.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com