Snort mailing list archives
RE: When does snort/ACID do DNS lookups
From: "Adriel T. Desautels" <atd () secnetops com>
Date: Thu, 3 Jun 2004 16:47:08 -0400
Dave,
If memory serves me correctly ACID actually has a dns cache table in the
schema. Sounds like its not updating the DNS names in the cache, does a one
time lookup and boom. The reason for this because DNS queries take a long
time. Imagine doing queries on every IP address every time a page is
displayed? It would take for ever to load. We've actually had to overcome
similar issues with our IDS software. The trick is to know when a name has
changed and to be able to update that record in the cache as quickly as
possible... Anyway, that's my two cents on the issue. The DNS cache
capability is needed, but doesn't appear to be bug free. ;)
Adriel T. Desautels
Secure Network Operations
Embracing the future of technology, protecting you.
Office: 978-263-3829 Fax: 978-263-3313
atd () secnetops com www.secnetops.com
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Humes,
David G.
Sent: Thursday, June 03, 2004 3:12 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] When does snort/ACID do DNS lookups
I'm looking at a series of alerts in ACID that clearly have the wrong
hostname associated with the source IP. The host in question is on a DHCP
subnet, and it did get a new lease recently. But alerts continue to be
logged that show an old hostname. dig/nslookup on the sensor/database
machine return the correct hostname. Since I'm seeing the old hostname
associated with new alerts coming into the database, it would seem that it's
not doing DNS lookups when the records are viewed. So, then it would seem
that it must be doing the lookups when the database receives the alerts from
snort. But, that doesn't seem right either since manual lookups on the
sensor/database host return the correct hostname. It appears almost as
though something has cached the mapping. The sensor/database host is not
running client name service caching daemon. Any thoughts?
Thanks.
--Dave
-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- When does snort/ACID do DNS lookups Humes, David G. (Jun 03)
- RE: When does snort/ACID do DNS lookups Adriel T. Desautels (Jun 03)
- RE: When does snort/ACID do DNS lookups todb (Jun 03)
- <Possible follow-ups>
- RE: When does snort/ACID do DNS lookups Truax, Shawn (MBS) (Jun 04)
- RE: When does snort/ACID do DNS lookups Adriel T. Desautels (Jun 03)