[Snort-users] Secure - NSLOOKUP
Joseph.Hager at ...1108...
Mon Jan 8 11:02:46 EST 2001
Last time I checked snort was not doing DNS lookups at the software level.
Couple of questions..
Any chance we'll see this as an option in the future? DNS lookups to a
cache file.. maybe ip.cache with time stamps. If a second instance of that
IP comes in within 3 hours or so.. just grab the dns info from the cache
file.. nice and quick. If it needs to look it up.. spawn a process that
does that and automatically updates the /var/log/secure or snort.log or
wherever your logging and puts the ip in the ip.cache file so it wont need
resolved again (for 3 hours).
I have a flow chart for a script that would convert the raw snort logs to
modified logs with dns information. Only problem.. I can't code. :-) I
understand code.. but I can't write anything like this. If someone here is
a solid perl programmer and wants to tackle this with me.. I'd be glad to
assist/test this with them.
joshag at ...37... <mailto:joshag at ...37...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users