[Snort-users] BASE and Snort FQDN Resolution Question

IT Security itsecurity at ...14863...
Tue Jun 29 16:21:40 EDT 2010


There is a setting in base_conf.php the determines whether BASE resolves
FQDN's or not (it is off by default in the most recent version of BASE).
We have this setting turned on and it seems to work fine. The question
we are asking is... When does the name resolution actually occur?

Does it occur when BASE is made aware of the incident? This is my guess,
and if that is true, then in our environment it would be possible for
changes to occur between the incident time and the name resolution time
(we store Snort logs for many hours or days before BASE is made aware of
them).

Just wondering if other Snort users who run BASE had ran into and
answered this already.

Thanks!




More information about the Snort-users mailing list