[Bro] Question about disable lookup_addr

Azoff, Justin S jazoff at illinois.edu
Tue Oct 24 11:41:13 PDT 2017


> On Oct 24, 2017, at 1:13 PM, SJ Lee <bluebike.sjlee at gmail.com> wrote:
> 
> Hello,
> 
> Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.
> And found  bro calling lookup_addr function in few files.

Set the BRO_DNS_FAKE environment variable and bro will not use real dns..

> I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.
> 
> Is here my question, is there any easy way to disable lookup_addr function?
> OR  restrict  internal dns db ONLY not want to hit external dns server, is there any way can do this?

Bro will use whatever servers are configured in /etc/resolv.conf


> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:    when ( local h1name = lookup_addr(h1) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:        when ( local h2name = lookup_addr(h2) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:        when ( local h2name_ = lookup_addr(h2) )

>From that script:

##! Notice extension that mails out a pretty-printed version of alarm.log
##! in regular intervals, formatted for better human readability. If activated,
##! that replaces the default summary mail having the raw log output.

@load base/frameworks/cluster
@load ../main

module Notice;

export {
    ## Activate pretty-printed alarm summaries.
    const pretty_print_alarms = T &redef;


So, that is easily disabled.

— 
Justin Azoff




More information about the Bro mailing list