[Snort-devel] resolve dns/ netbios names

Smith, Donald Donald.Smith at ...530...
Mon Jan 24 08:44:17 EST 2005


Its also a really bad idea from a secops perspective.
If you do a reverse lookup AND an attacker owns the dns or a system in front of it.
They could easily send a packet that ONLY an ids would do anything about. If that IDS did a lookup they could map networks with IDSes.
Maybe having an IDS not as unique as it was a few years ago but I still don't want to alert a hacker that I'm watching.
 

Donald.Smith at ...530... GCIA
design_in_security @ the beginning & 
ease_of_use != A*(1/Data_Security)

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Martin Roesch
> Sent: Monday, January 24, 2005 8:39 AM
> To: John Beaudoin
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] resolve dns/ netbios names
> 
> 
> Hi John,
> 
> No there isn't, implementing name resolution would impact Snort's 
> performance nagatively so we've always left it as a post-process 
> function for the user.
> 
>       -Marty
> 
> On Jan 23, 2005, at 9:12 AM, John Beaudoin wrote:
> 
> > Is there an option I can invoke that when writing to the log 
> > directory, it will write the directory names as the FQDN and/or 
> > netbios name instead of the ipaddress. This would be handy for both 
> > LAN and WAN traffic analysis.
> >
> >  
> >
> > This is the option I use now snort.exe -X -l c:\snort\log
> >
> >  
> >
> > John
> >
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch at ...402... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive 
> Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 




More information about the Snort-devel mailing list