No subject

Thu Nov 23 16:36:19 EST 2017

installation-authoring solution that does it all. Learn more and
evaluate today!
Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2656.60">
<TITLE>RE: [Snort-users] When does snort/ACID do DNS lookups</TITLE>

<P><FONT SIZE=3D2>Hi Dave,</FONT>

<P><FONT SIZE=3D2>The other responses have covered off the high level info =
you need.  If you want the techie stuff go into your acid_conf.php fil=
e and there is a section half way in for all your DNS settings.  You c=
an turn resolve on or off and set cache lifetime options.  If your DNS=
 change weekly for example set your cache variables to a week or less and t=
hey will refresh themselves for you.</FONT></P>

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Humes, David G. [<A HREF=3D"mailto:David.Humes at ...979...=
383...">mailto:David.Humes at ...383...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: June 3, 2004 3:12 PM</FONT>
<BR><FONT SIZE=3D2>To: 'snort-users at'</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] When does snort/ACID do DNS looku=

<P><FONT SIZE=3D2>I'm looking at a series of alerts in ACID that clearly ha=
ve the wrong</FONT>
<BR><FONT SIZE=3D2>hostname associated with the source IP.  The host i=
n question is on a DHCP</FONT>
<BR><FONT SIZE=3D2>subnet, and it did get a new lease recently.  But a=
lerts continue to be</FONT>
<BR><FONT SIZE=3D2>logged that show an  old hostname.  dig/nslook=
up on the sensor/database</FONT>
<BR><FONT SIZE=3D2>machine return the correct hostname.  Since I'm see=
ing the old  hostname</FONT>
<BR><FONT SIZE=3D2>associated with new alerts coming into the database, it =
would seem that it's</FONT>
<BR><FONT SIZE=3D2>not doing DNS lookups when the records are viewed. =
 So, then it would seem</FONT>
<BR><FONT SIZE=3D2>that it must be doing the lookups when the database rece=
ives the alerts from</FONT>
<BR><FONT SIZE=3D2>snort.  But, that doesn't seem right either since m=
anual lookups on the</FONT>
<BR><FONT SIZE=3D2>sensor/database host return the correct hostname.  =
It appears almost as</FONT>
<BR><FONT SIZE=3D2>though something has cached the mapping.  The senso=
r/database host is not</FONT>
<BR><FONT SIZE=3D2>running client name service caching daemon.  Any th=

<P><FONT SIZE=3D2>Thanks.</FONT>

<P><FONT SIZE=3D2>--Dave</FONT>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
<BR><FONT SIZE=3D2>This SF.Net email is sponsored by the new InstallShield =
<BR><FONT SIZE=3D2>From Windows to Linux, servers to mobile, InstallShield =
X is the one</FONT>
<BR><FONT SIZE=3D2>installation-authoring solution that does it all. Learn =
more and</FONT>
<BR><FONT SIZE=3D2>evaluate today! <A HREF=3D"
Dev2Dev/0504" TARGET=3D"_blank"></=
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
snort-users" TARGET=3D"_blank">
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
=3Dsnort-users" TARGET=3D"_blank">



More information about the Snort-users mailing list