[Snort-users] Secure - NSLOOKUP

Joseph Hager Joseph.Hager at ...1108...
Thu Jan 18 14:53:48 EST 2001


I use snort to log internal and not so much external activities.  The major
advantage to doing lookups on the fly is because in a DHCP network where
users can have a different IP today from the one they were assigned a month
ago.. it would be nice to know who that user was if I'm going through older
logs and see something that I might not have caught originally.  WINS
lookups will also be useful.

I AM paying attention.. and I don't really mind that internal users know
that.

Having the information logged from the beginning with everything I might
need is more efficient for my utilization of snort.  It allows me to
incorporate better searching options, reporting tools, etc..  that a broader
range of administrators can access via a web front-end.

I'm not so much worried about looking up host names of external users.  I
agree.. I can do host lookups as needed for those cases.  If snort triggers
an alert from the outside coming in.. it should be something that I either
need to block at the firewall/router level.. or remove the rule from snort.
Or it needs to be something on the inside that a user is doing that they
shouldn't be.. and I need to deal with that action.  If a violation slides
by and I don't catch it.. I need the option of finding out who that user was
a day, week, month or whenever later quickly and easily.  And that is hardly
a waste of time in my opinion.

I have the script designed on paper and have a couple developers working on
the code now.  I'll post a copy (URL) to this list when it's completed and
maybe it will help people using snort in a similar configuration.

Joey
  


 -----Original Message-----
From: 	Martin Roesch [mailto:roesch at ...421...] 
Sent:	Thursday, January 18, 2001 2:30 AM
To:	Gregor Binder
Cc:	Joseph Hager; snort-users at lists.sourceforge.net
Subject:	Re: [Snort-users] Secure - NSLOOKUP

Snort doesn't do DNS lookups in real-time for several reasons:

1) It's slow, even if you cache it and try to make it non-blocking
2) It lets people know you're paying attention
3) You can go get the hostnames in an automated fashion when you
actually go to look at the data, having Snort do it automatically is
something of a waste of time.

     -Marty

Gregor Binder wrote:
> 
> Joseph Hager on Mon, Jan 08, 2001 at 11:02:46AM -0500:
> 
> Hi,
> 
> > Any chance we'll see this as an option in the future?  DNS lookups to a
> > cache file.. maybe ip.cache with time stamps.  If a second instance of
that
> > IP comes in within 3 hours or so.. just grab the dns info from the cache
> > file.. nice and quick.  If it needs to look it up.. spawn a process that
> > does that and automatically updates the /var/log/secure or snort.log or
> > wherever your logging and puts the ip in the ip.cache file so it wont
need
> > resolved again (for 3 hours).
> 
> keep in mind that if he has enough addresses and access to his DNS log
> files, an attacker could abuse this feature to see what triggers your
> snort and what not.
> 
> Forking on alerts also opens the door for a remote DoS attack.
> 
> Regards,
>   Gregor.
> 
> --
> Gregor Binder  <gregor.binder at ...462...>  http://sysfive.com/~gbinder/
> sysfive.com GmbH               UNIX. Networking. Security. Applications.
> Gaertnerstrasse 125b, 20253 Hamburg, Germany         TEL +49-40-63647482
> PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/mailman/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list