[Bro] Disabling PTR lookups in reporting

JRH cryptowave at gmail.com
Thu Jan 7 08:01:30 PST 2010


I have looked at the documentation, wiki, and archive from the mailing
list, and some of the code, but I can't seem (perhaps overlooked) to
figure out how to disable PTR resolution in the site reports.
Depending on the category (bytes trans, top dest, etc) it has a
different "buffer" for each hostname and, in most cases, the PTR
record exceeds the buffer so you end up with an entry that is very
difficult to tie to an ip address for further investigation.

I am hoping some one has shared this same frustration and there is a
solution available.

Thanks for any insight!

More information about the Bro mailing list