[Snort-users] Reverse DNS lookup online

Phil Wood cpw at ...440...
Thu Oct 5 10:50:51 EDT 2000


Two programs that come with linux could be easily incorporated on a web
page:

  %host 205.164.216.1
  Name: rapidnet.com
  Address: 205.164.216.1

  and

  whois 205.164.216.1
  % whois 205.164.216.1
  AGIS/Net99 (NETBLK-AGISCC)      AGISCC          205.164.64.0 - 205.164.255.255
  RapidNet, Inc. (NETBLK-RAPIDNET-BLK-205-164) RAPIDNET-BLK-205-164
                                               205.164.216.0 - 205.164.217.255

  To single out one record, look it up with "!xxx", where xxx is the
  handle, shown in parenthesis following the name, which comes first.

  The ARIN Registration Services Host contains ONLY Internet
  Network Information: Networks, ASN's, and related POC's.
  Please use the whois server at rs.internic.net for DOMAIN related
  Information and whois.nic.mil for NIPRNET Information.

=============================================================================

Also, there is a shell script by Greg A. Woods (no relation to my brother
Greg Wood), called awhois that looks like this:

============================begining of script================================
#! /bin/sh
#
#	awhois - all-encompassing whois client wrapper....
#
# (c) Copyright 1998 Greg A. Woods.
# Freely redistibutable.
# All other rights reserved.
# Return all fixes/modifications to <woods at ...575...>.
#
#ident	"@(#)LOCAL:awhois.sh	1.13	98/06/29 00:11:35 (woods)"
#ident	"@(#)awhois:$Name$:$Id$"

argv0=`basename $0`

DEFAULTWHOISHOST="whois.internic.net"

USAGE="Usage: $argv0 [-h whois-host] query-string"

HELP="$USAGE
	-h host	query the specified host.

The appropriate whois server will be chosen based on the query-string
given, so long as it is recognized as a handle, host, domain, network,
AS number, etc.  If the query-string doesn't match an appropriate
pattern the default server ($DEFAULTWHOISHOST) will be queried.
"

WHOISHOST=""

while getopts "h:H" OPTCHAR ; do
	case $OPTCHAR in
	h)
		WHOISHOST=$OPTARG
		;;
	h)
		echo "$HELP" 1>&2
		exit 2
		;;
	\?)
		echo "$USAGE" 1>&2
		exit 2
		;;
	esac
done
shift `expr $OPTIND - 1`

# so far as I know all whois servers are case-insensitive....
# XXX this invocation of tr should work for SysV & BSD & POSIX
#

QUERY=`echo "$*" | tr '[A-Z]' '[a-z]'`

if [ -n "$WHOISHOST" ] ; then
	exec whois -h $WHOISHOST "$QUERY"
fi

host $QUERY
case "$QUERY" in

# mostly derived from "whois -h whois.arin.net European"
62.*|163.12[89].*|163.1[3][0-9].*|163.14[0-3].*|164.40.*|171.1[6-9].*|171.2[0-9].*|171.3[0-3].*|192.162.*|192.16[4-7].*|19[3-5].*)
	exec whois -h whois.ripe.net "$QUERY"
	;;

# mostly derived from "whois -h whois.arin.net Asia"
61.*|169.20[89].*|169.21[0-9].*|169.22[0-3].*|20[23].*|21[01].*)
	exec whois -h whois.apnic.net "$QUERY"
	;;

# This is a bit of a quick&dirty hack.
# ARIN's info for this (under NETBLK-SEED-NETS) says: 192.72.3.0 - 192.72.252.0
192.72.*)
	exec whois -h whois.iii.org.tw "$QUERY"
	;;

# the rest of the IP numbers, AS numbers, ARIN handle patterns, ...
[1-9].*|[1-9][0-9].*|[12][0-9][0-9].*|[0-9]|[0-9][0-9]|[0-9][0-9][0-9]|[0-9][0-9][0-9][0-9]|[0-9][0-9][0-9][0-9][0-9]|*-arin|*-ARIN|net-*|NET-*|netblk-*|NETBLK-*|asn-*|ASN-*)
	exec whois -h whois.arin.net "$QUERY"
	;;

*.com|*.org|*.edu|*.net|*-dom|*-org)
	exec whois -h whois.internic.net "$QUERY"
	;;

*.gov)
	exec whois -h whois.nic.gov "$QUERY"
	;;

*.mil)
	exec whois -h whois.nic.mil "$QUERY"
	;;

*.at)
	exec whois -h whois.univie.ac.at "$QUERY"
	;;

*.au)
	exec whois -h whois.aunic.net "$QUERY"
	;;

*.ca)
	exec whois -h whois.cdnnet.ca "$QUERY"
	;;

*.ch)
	exec whois -h whois.nic.ch "$QUERY"
	;;

*.de)
	exec whois -h whois.nic.de "$QUERY"
	;;

*.fr)
	exec whois -h whois.nic.fr "$QUERY"
	;;

*.it)
	exec whois -h whois.nic.it "$QUERY"
	;;

*.jp)
	exec whois -h whois.nic.ad.jp "$QUERY/e"
	;;

*.kr)
	exec whois -h whois.krnic.net "$QUERY"
	;;

*.li)
	exec whois -h whois.nic.li "$QUERY"
	;;

*.mx)
	exec whois -h nic.mx "$QUERY"
	;;

*.nl)
	exec whois -h www.domain-registry.nl "$QUERY"
	;;

*.pk)
	exec whois -h whois.pknic.net.pk "$QUERY"
	;;

*.se)
	exec whois -h whois.sunet.se "$QUERY"
	;;

*.sg)
	exec whois -h whois.nic.net.sg "$QUERY"
	;;

*.th)
	exec whois -h whois.thnic.net "$QUERY"
	;;

*.com.tw)
	exec whois -h whois.iii.org.tw "$QUERY"
	;;

*.tw)
	exec whois -h whois.twnic.net "$QUERY"
	;;

*.ac.uk)
	exec whois -h whois.ja.net "$QUERY"
	;;

*.co.uk|*.org.uk|*.net.uk|*.plc.uk|*.gov.uk|*.net.uk)
	exec whois -h whois.nic.uk "$QUERY"
	;;

# catch-all....
[a-z][a-z][0-9]*|[a-z][a-z][a-z][0-9]*)
	exec whois -h whois.internic.net "$QUERY"
	;;

esac

echo "Warning: '$argv0' knows not which whois server to talk to for '$QUERY'." 1>&2

exec whois -h $DEFAULTWHOISHOST "$QUERY"
#====================end of script===========================================

==============================================================================
On Wed, Oct 04, 2000 at 11:03:12PM -0600, Nick Rogness wrote:
> On Wed, 4 Oct 2000, Jim Forster wrote:
> 
> 
> 	http://www.infiltration.net/dnsptr.html
> 
> 
> 
> > I've been using http://www.securityspace.com/cgi-bin/swhois/whois?show=none
> > Give it a shot!  :)
> > 
> > ----- Original Message ----- 
> > From: "James Hoagland" <hoagland at ...155...>
> > To: <snort-users at lists.sourceforge.net>
> > Cc: <hoagland at ...155...>
> > Sent: Wednesday, October 04, 2000 1:07 PM
> > Subject: [Snort-users] Reverse DNS lookup online
> > 
> > 
> > > 
> > > Hello,
> > > 
> > > Sorry for the somewhat off topic post, but does anyone know a good 
> > > web site that provides a reverse DNS lookup (IP -> name) tool?  I'd 
> > > like to add a link to that from SnortSnarf generated pages.
> > > 
> > > Thanks,
> > > 
> > >    Jim
> > > -- 
> > > |*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
> > > |*               hoagland at ...47...                *|
> > > |*  Voice: (707) 445-4355 x13          Fax: (707) 445-4222  *|
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> > 
> 
> Nick Rogness
> - Drive defensively.  Buy a tank.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...




More information about the Snort-users mailing list