[Bro] Question about disable lookup_addr
SJ Lee
bluebike.sjlee at gmail.com
Tue Oct 24 10:13:26 PDT 2017
Hello,
Looking at reverse dns record, seeing a lot of record from the IDS sensor
nodes.
And found bro calling lookup_addr function in few files.
I was trying to disable all lookup_addr function, but below files not able
to disable due to dependency issue.
Is here my question, is there any easy way to disable lookup_addr function?
OR restrict internal dns db ONLY not want to hit external dns server, is
there any way can do this?
1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when
( local h1name = lookup_addr(h1) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
when ( local h2name = lookup_addr(h2) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
when ( local h2name_ = lookup_addr(h2) )
2) /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr:
function(host: addr ) : string ;
Thanks,
SJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171024/177d5470/attachment.html
More information about the Bro
mailing list