[Bro] Question about disable lookup_addr
Seth Hall
seth at corelight.com
Tue Oct 24 12:45:44 PDT 2017
That script should only run if you are turning some notices into alarms.
I suspect that the look ups you are seeing are due to something else.
The two primary scripts that are probably causing DNS lookups are:
policy/protocols/ssh/interesting-hostnames.bro
policy/frameworks/files/detect-MHR.bro
.Seth
On 24 Oct 2017, at 13:13, SJ Lee wrote:
> Hello,
>
> Looking at reverse dns record, seeing a lot of record from the IDS
> sensor
> nodes.
> And found bro calling lookup_addr function in few files.
>
> I was trying to disable all lookup_addr function, but below files not
> able
> to disable due to dependency issue.
>
> Is here my question, is there any easy way to disable lookup_addr
> function?
> OR restrict internal dns db ONLY not want to hit external dns
> server, is
> there any way can do this?
>
>
> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when
> ( local h1name = lookup_addr(h1) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when ( local h2name = lookup_addr(h2) )
> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
> when ( local h2name_ = lookup_addr(h2) )
>
> 2) /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr:
> function(host: addr ) : string ;
>
> Thanks,
> SJ
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list