[Snort-devel] resolve dns/ netbios names
Donald.Smith at ...530...
Mon Jan 24 08:44:17 EST 2005
Its also a really bad idea from a secops perspective.
If you do a reverse lookup AND an attacker owns the dns or a system in front of it.
They could easily send a packet that ONLY an ids would do anything about. If that IDS did a lookup they could map networks with IDSes.
Maybe having an IDS not as unique as it was a few years ago but I still don't want to alert a hacker that I'm watching.
Donald.Smith at ...530... GCIA
design_in_security @ the beginning &
ease_of_use != A*(1/Data_Security)
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of
> Martin Roesch
> Sent: Monday, January 24, 2005 8:39 AM
> To: John Beaudoin
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] resolve dns/ netbios names
> Hi John,
> No there isn't, implementing name resolution would impact Snort's
> performance nagatively so we've always left it as a post-process
> function for the user.
> On Jan 23, 2005, at 9:12 AM, John Beaudoin wrote:
> > Is there an option I can invoke that when writing to the log
> > directory, it will write the directory names as the FQDN and/or
> > netbios name instead of the ipaddress. This would be handy for both
> > LAN and WAN traffic analysis.
> > This is the option I use now snort.exe -X -l c:\snort\log
> > John
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover. Determine. Defend.
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel