No subject


Thu Nov 23 16:36:19 EST 2017


installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C44A37.8F4555A8
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2656.60">
<TITLE>RE: [Snort-users] When does snort/ACID do DNS lookups</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hi Dave,</FONT>
</P>

<P><FONT SIZE=3D2>The other responses have covered off the high level info =
you need.  If you want the techie stuff go into your acid_conf.php fil=
e and there is a section half way in for all your DNS settings.  You c=
an turn resolve on or off and set cache lifetime options.  If your DNS=
 change weekly for example set your cache variables to a week or less and t=
hey will refresh themselves for you.</FONT></P>

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>M5H 3B7</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Humes, David G. [<A HREF=3D"mailto:David.Humes at ...979...=
383...">mailto:David.Humes at ...383...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: June 3, 2004 3:12 PM</FONT>
<BR><FONT SIZE=3D2>To: 'snort-users at lists.sourceforge.net'</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] When does snort/ACID do DNS looku=
ps</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>I'm looking at a series of alerts in ACID that clearly ha=
ve the wrong</FONT>
<BR><FONT SIZE=3D2>hostname associated with the source IP.  The host i=
n question is on a DHCP</FONT>
<BR><FONT SIZE=3D2>subnet, and it did get a new lease recently.  But a=
lerts continue to be</FONT>
<BR><FONT SIZE=3D2>logged that show an  old hostname.  dig/nslook=
up on the sensor/database</FONT>
<BR><FONT SIZE=3D2>machine return the correct hostname.  Since I'm see=
ing the old  hostname</FONT>
<BR><FONT SIZE=3D2>associated with new alerts coming into the database, it =
would seem that it's</FONT>
<BR><FONT SIZE=3D2>not doing DNS lookups when the records are viewed. =
 So, then it would seem</FONT>
<BR><FONT SIZE=3D2>that it must be doing the lookups when the database rece=
ives the alerts from</FONT>
<BR><FONT SIZE=3D2>snort.  But, that doesn't seem right either since m=
anual lookups on the</FONT>
<BR><FONT SIZE=3D2>sensor/database host return the correct hostname.  =
It appears almost as</FONT>
<BR><FONT SIZE=3D2>though something has cached the mapping.  The senso=
r/database host is not</FONT>
<BR><FONT SIZE=3D2>running client name service caching daemon.  Any th=
oughts?</FONT>
</P>

<P><FONT SIZE=3D2>Thanks.</FONT>
</P>

<P><FONT SIZE=3D2>--Dave</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This SF.Net email is sponsored by the new InstallShield =
X.</FONT>
<BR><FONT SIZE=3D2>From Windows to Linux, servers to mobile, InstallShield =
X is the one</FONT>
<BR><FONT SIZE=3D2>installation-authoring solution that does it all. Learn =
more and</FONT>
<BR><FONT SIZE=3D2>evaluate today! <A HREF=3D"http://www.installshield.com/=
Dev2Dev/0504" TARGET=3D"_blank">http://www.installshield.com/Dev2Dev/0504</=
A></FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
ONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A></FONT>
</P>

</BODY>
</HTML>=

------_=_NextPart_001_01C44A37.8F4555A8--





More information about the Snort-users mailing list