[Snort-users] Secure - NSLOOKUP
Joseph.Hager at ...1108...
Mon Jan 8 12:57:07 EST 2001
If a person has that much access to your box.. the script that I'm
requesting is hardly going to be an issue.. don't you think? And my
thoughts on creating a ip.cache type file.. would help prevent the DoS
attack by only requesting a lookup once per "X" amount of time. I don't see
it being any more of an issue then if a person was simply portscanning a
network and forcing snort to log that information to syslog.
From: Gregor Binder [mailto:gbinder at ...462...]
Sent: Monday, January 08, 2001 11:39 AM
To: Joseph Hager
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Secure - NSLOOKUP
Joseph Hager on Mon, Jan 08, 2001 at 11:02:46AM -0500:
> Any chance we'll see this as an option in the future? DNS lookups to a
> cache file.. maybe ip.cache with time stamps. If a second instance of
> IP comes in within 3 hours or so.. just grab the dns info from the cache
> file.. nice and quick. If it needs to look it up.. spawn a process that
> does that and automatically updates the /var/log/secure or snort.log or
> wherever your logging and puts the ip in the ip.cache file so it wont need
> resolved again (for 3 hours).
keep in mind that if he has enough addresses and access to his DNS log
files, an attacker could abuse this feature to see what triggers your
snort and what not.
Forking on alerts also opens the door for a remote DoS attack.
Gregor Binder <gregor.binder at ...462...> http://sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
More information about the Snort-users