Snort mailing list archives
RE: When did this change?
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 29 Jun 2004 18:46:28 -0500
On Sun, 2004-06-27 at 14:27, Jeff Dell wrote:
It hasn't changed.. Those additional tables were installed by Aanval Intrusion Detection Console. You must have installed it between May04 and now.
Who developed Aanval? You Jeff? If so, here is a suggestion. I would not keep host names in a separate table for caching purposes. Relations between host names and IP addresses change over time (especially in internal networks). I would suggest saving the resolved host names in the iphdr table right next to the IP address. That way you have a matching IP-hostname pair as it was resolved at time of capture or name resolution. Even if the host name or IP address change down the road (i.e. new DHCP lease), you have the alert linked to the correct host name and IP as it was at the time of attack. Fetching a host name out of a separate table index on IP creates false host name representations and can severely distort reports and mislead humans. (If the hostname table is just for sensors, then of course ignore this email :) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Announcement PigMail v. 1.01 Adam Ely (Jun 10)
- When did this change? Paul Schmehl (Jun 27)
- RE: When did this change? Jeff Dell (Jun 27)
- RE: When did this change? Paul Schmehl (Jun 27)
- RE: When did this change? Frank Knobbe (Jun 29)
- RE: When did this change? Jeff Dell (Jun 29)
- RE: When did this change? Jeff Dell (Jun 27)
- When did this change? Paul Schmehl (Jun 27)