[Snort-users] Secure - NSLOOKUP

Martin Roesch roesch at ...421...
Thu Jan 18 02:30:14 EST 2001


Snort doesn't do DNS lookups in real-time for several reasons:

1) It's slow, even if you cache it and try to make it non-blocking
2) It lets people know you're paying attention
3) You can go get the hostnames in an automated fashion when you
actually go to look at the data, having Snort do it automatically is
something of a waste of time.

     -Marty

Gregor Binder wrote:
> 
> Joseph Hager on Mon, Jan 08, 2001 at 11:02:46AM -0500:
> 
> Hi,
> 
> > Any chance we'll see this as an option in the future?  DNS lookups to a
> > cache file.. maybe ip.cache with time stamps.  If a second instance of that
> > IP comes in within 3 hours or so.. just grab the dns info from the cache
> > file.. nice and quick.  If it needs to look it up.. spawn a process that
> > does that and automatically updates the /var/log/secure or snort.log or
> > wherever your logging and puts the ip in the ip.cache file so it wont need
> > resolved again (for 3 hours).
> 
> keep in mind that if he has enough addresses and access to his DNS log
> files, an attacker could abuse this feature to see what triggers your
> snort and what not.
> 
> Forking on alerts also opens the door for a remote DoS attack.
> 
> Regards,
>   Gregor.
> 
> --
> Gregor Binder  <gregor.binder at ...462...>  http://sysfive.com/~gbinder/
> sysfive.com GmbH               UNIX. Networking. Security. Applications.
> Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
> PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list