[Snort-users] Secure - NSLOOKUP

Phil Wood cpw at ...440...
Sun Jan 28 15:17:17 EST 2001


It don't suck.

What a lot of folks don't understand, is that there are millions of addresses
that DO NOT RESOLVE.  There are also servers that do not reply.  And there
is code in resolver to try hard to get an answer (bad for snort or any other
process dependent on timely response to incoming packets).  Snort is in the
business of capturing packets, and passing the information gained through
rules.  Any rules that need to know what name space the packets are coming
from need to be placed in some post processor on a different machine.

In the same vane, it's as bad as writing your alerts to an nfs mounted
disk.  Or, anything else that might cause snort to BLOCK, and not get
back to it's job of processing packets.

On Fri, Jan 26, 2001 at 10:33:35PM -0500, Martin Roesch wrote:
> Have swatch do an nslookup on the IP addresses when it sees an alert.... 
> I know this sucks, but I'm *really* against adding name lookups into
> Snort.
>    -Marty
Phil Wood, cpw at ...440...

More information about the Snort-users mailing list