[Bro] Question about disable lookup_addr
Azoff, Justin S
jazoff at illinois.edu
Tue Oct 24 11:41:13 PDT 2017
> On Oct 24, 2017, at 1:13 PM, SJ Lee <bluebike.sjlee at gmail.com> wrote:
>
> Hello,
>
> Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.
> And found bro calling lookup_addr function in few files.
Set the BRO_DNS_FAKE environment variable and bro will not use real dns..
> I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.
>
> Is here my question, is there any easy way to disable lookup_addr function?
> OR restrict internal dns db ONLY not want to hit external dns server, is there any way can do this?
Bro will use whatever servers are configured in /etc/resolv.conf
> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h1name = lookup_addr(h1) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name = lookup_addr(h2) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name_ = lookup_addr(h2) )
>From that script:
##! Notice extension that mails out a pretty-printed version of alarm.log
##! in regular intervals, formatted for better human readability. If activated,
##! that replaces the default summary mail having the raw log output.
@load base/frameworks/cluster
@load ../main
module Notice;
export {
## Activate pretty-printed alarm summaries.
const pretty_print_alarms = T &redef;
So, that is easily disabled.
—
Justin Azoff
More information about the Bro
mailing list