[Snort-users] Secure - NSLOOKUP

Gregor Binder gbinder at ...462...
Mon Jan 8 11:39:14 EST 2001


Joseph Hager on Mon, Jan 08, 2001 at 11:02:46AM -0500:

Hi,

> Any chance we'll see this as an option in the future?  DNS lookups to a
> cache file.. maybe ip.cache with time stamps.  If a second instance of that
> IP comes in within 3 hours or so.. just grab the dns info from the cache
> file.. nice and quick.  If it needs to look it up.. spawn a process that
> does that and automatically updates the /var/log/secure or snort.log or
> wherever your logging and puts the ip in the ip.cache file so it wont need
> resolved again (for 3 hours).

keep in mind that if he has enough addresses and access to his DNS log
files, an attacker could abuse this feature to see what triggers your
snort and what not.

Forking on alerts also opens the door for a remote DoS attack.

Regards,
  Gregor.

-- 
Gregor Binder  <gregor.binder at ...462...>  http://sysfive.com/~gbinder/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list