[Snort-users] Secure - NSLOOKUP

Joseph Hager Joseph.Hager at ...1108...
Mon Jan 8 11:02:46 EST 2001


Last time I checked snort was not doing DNS lookups at the software level.
Couple of questions..
 
Any chance we'll see this as an option in the future?  DNS lookups to a
cache file.. maybe ip.cache with time stamps.  If a second instance of that
IP comes in within 3 hours or so.. just grab the dns info from the cache
file.. nice and quick.  If it needs to look it up.. spawn a process that
does that and automatically updates the /var/log/secure or snort.log or
wherever your logging and puts the ip in the ip.cache file so it wont need
resolved again (for 3 hours).
 
I have a flow chart for a script that would convert the raw snort logs to
modified logs with dns information.  Only problem.. I can't code.  :-)  I
understand code.. but I can't write anything like this.  If someone here is
a solid perl programmer and wants to tackle this with me.. I'd be glad to
assist/test this with them.
 
Joey
joshag at ...37... <mailto:joshag at ...37...> 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010108/1206f4ce/attachment.html>


More information about the Snort-users mailing list