[Bro] Question about disable lookup_addr

SJ Lee bluebike.sjlee at gmail.com
Tue Oct 24 11:59:17 PDT 2017


Hello Justin,

Thank you for your quick response mail.

Bro will use whatever servers are configured in /etc/resolv.conf
=> Good to know this. Thank you.

export {
    ## Activate pretty-printed alarm summaries.
    const pretty_print_alarms = T &redef;

=> easily disabled, means instead of using T, I can set up F, than disable
this feature?

Thanks,
SJ



On Tue, Oct 24, 2017 at 2:41 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Oct 24, 2017, at 1:13 PM, SJ Lee <bluebike.sjlee at gmail.com> wrote:
> >
> > Hello,
> >
> > Looking at reverse dns record, seeing a lot of record from the IDS
> sensor nodes.
> > And found  bro calling lookup_addr function in few files.
>
> Set the BRO_DNS_FAKE environment variable and bro will not use real dns..
>
> > I was trying to disable all lookup_addr function, but below files not
> able to disable due to dependency issue.
> >
> > Is here my question, is there any easy way to disable lookup_addr
> function?
> > OR  restrict  internal dns db ONLY not want to hit external dns server,
> is there any way can do this?
>
> Bro will use whatever servers are configured in /etc/resolv.conf
>
>
> > 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when ( local h1name = lookup_addr(h1) )
> > /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when ( local h2name = lookup_addr(h2) )
> > /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when ( local h2name_ = lookup_addr(h2) )
>
> From that script:
>
> ##! Notice extension that mails out a pretty-printed version of alarm.log
> ##! in regular intervals, formatted for better human readability. If
> activated,
> ##! that replaces the default summary mail having the raw log output.
>
> @load base/frameworks/cluster
> @load ../main
>
> module Notice;
>
> export {
>     ## Activate pretty-printed alarm summaries.
>     const pretty_print_alarms = T &redef;
>
>
> So, that is easily disabled.
>
>> Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171024/4e593a4e/attachment.html 


More information about the Bro mailing list