[Bro] Question about disable lookup_addr
seth at corelight.com
Tue Oct 24 12:45:44 PDT 2017
That script should only run if you are turning some notices into alarms.
I suspect that the look ups you are seeing are due to something else.
The two primary scripts that are probably causing DNS lookups are:
On 24 Oct 2017, at 13:13, SJ Lee wrote:
> Looking at reverse dns record, seeing a lot of record from the IDS
> And found bro calling lookup_addr function in few files.
> I was trying to disable all lookup_addr function, but below files not
> to disable due to dependency issue.
> Is here my question, is there any easy way to disable lookup_addr
> OR restrict internal dns db ONLY not want to hit external dns
> server, is
> there any way can do this?
> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> ( local h1name = lookup_addr(h1) )
> when ( local h2name = lookup_addr(h2) )
> when ( local h2name_ = lookup_addr(h2) )
> 2) /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr:
> function(host: addr ) : string ;
> Bro mailing list
> bro at bro-ids.org
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro