Snort mailing list archives

RE: When does snort/ACID do DNS lookups

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Fri, 4 Jun 2004 09:26:36 -0400

Hi Dave,

The other responses have covered off the high level info you need.  If you
want the techie stuff go into your acid_conf.php file and there is a section
half way in for all your DNS settings.  You can turn resolve on or off and
set cache lifetime options.  If your DNS change weekly for example set your
cache variables to a week or less and they will refresh themselves for you.

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107


-----Original Message-----
From: Humes, David G. [mailto:David.Humes () jhuapl edu]
Sent: June 3, 2004 3:12 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] When does snort/ACID do DNS lookups


I'm looking at a series of alerts in ACID that clearly have the wrong
hostname associated with the source IP.  The host in question is on a DHCP
subnet, and it did get a new lease recently.  But alerts continue to be
logged that show an  old hostname.  dig/nslookup on the sensor/database
machine return the correct hostname.  Since I'm seeing the old  hostname
associated with new alerts coming into the database, it would seem that it's
not doing DNS lookups when the records are viewed.  So, then it would seem
that it must be doing the lookups when the database receives the alerts from
snort.  But, that doesn't seem right either since manual lookups on the
sensor/database host return the correct hostname.  It appears almost as
though something has cached the mapping.  The sensor/database host is not
running client name service caching daemon.  Any thoughts?

Thanks.

--Dave


-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

When does snort/ACID do DNS lookups Humes, David G. (Jun 03)
- RE: When does snort/ACID do DNS lookups Adriel T. Desautels (Jun 03)
  - RE: When does snort/ACID do DNS lookups todb (Jun 03)
- <Possible follow-ups>
- RE: When does snort/ACID do DNS lookups Truax, Shawn (MBS) (Jun 04)