Snort mailing list archives
RE: When does snort/ACID do DNS lookups
From: "Adriel T. Desautels" <atd () secnetops com>
Date: Thu, 3 Jun 2004 16:47:08 -0400
Dave, If memory serves me correctly ACID actually has a dns cache table in the schema. Sounds like its not updating the DNS names in the cache, does a one time lookup and boom. The reason for this because DNS queries take a long time. Imagine doing queries on every IP address every time a page is displayed? It would take for ever to load. We've actually had to overcome similar issues with our IDS software. The trick is to know when a name has changed and to be able to update that record in the cache as quickly as possible... Anyway, that's my two cents on the issue. The DNS cache capability is needed, but doesn't appear to be bug free. ;) Adriel T. Desautels Secure Network Operations Embracing the future of technology, protecting you. Office: 978-263-3829 Fax: 978-263-3313 atd () secnetops com www.secnetops.com -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Humes, David G. Sent: Thursday, June 03, 2004 3:12 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] When does snort/ACID do DNS lookups I'm looking at a series of alerts in ACID that clearly have the wrong hostname associated with the source IP. The host in question is on a DHCP subnet, and it did get a new lease recently. But alerts continue to be logged that show an old hostname. dig/nslookup on the sensor/database machine return the correct hostname. Since I'm seeing the old hostname associated with new alerts coming into the database, it would seem that it's not doing DNS lookups when the records are viewed. So, then it would seem that it must be doing the lookups when the database receives the alerts from snort. But, that doesn't seem right either since manual lookups on the sensor/database host return the correct hostname. It appears almost as though something has cached the mapping. The sensor/database host is not running client name service caching daemon. Any thoughts? Thanks. --Dave ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- When does snort/ACID do DNS lookups Humes, David G. (Jun 03)
- RE: When does snort/ACID do DNS lookups Adriel T. Desautels (Jun 03)
- RE: When does snort/ACID do DNS lookups todb (Jun 03)
- <Possible follow-ups>
- RE: When does snort/ACID do DNS lookups Truax, Shawn (MBS) (Jun 04)
- RE: When does snort/ACID do DNS lookups Adriel T. Desautels (Jun 03)