RE: When did this change?

[Frank Knobbe <frank () knobbe us>]

On Sun, 2004-06-27 at 14:27, Jeff Dell wrote:
> It hasn't changed.. Those additional tables were installed by Aanval
> Intrusion Detection Console. You must have installed it between May04 and
> now.

Who developed Aanval? You Jeff?

If so, here is a suggestion. I would not keep host names in a separate
table for caching purposes. Relations between host names and IP
addresses change over time (especially in internal networks). I would
suggest saving the resolved host names in the iphdr table right next to
the IP address. That way you have a matching IP-hostname pair as it was
resolved at time of capture or name resolution. Even if the host name or
IP address change down the road (i.e. new DHCP lease), you have the
alert linked to the correct host name and IP as it was at the time of
attack. Fetching a host name out of a separate table index on IP creates
false host name representations and can severely distort reports and
mislead humans.

(If the hostname table is just for sensors, then of course ignore this
email :)


Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part