[Bro] Question about disable lookup_addr

SJ Lee bluebike.sjlee at gmail.com
Tue Oct 24 13:26:50 PDT 2017 

Hello Seth,

I checked policy/frameworks/files/detect-MHR.bro, but does not able to fine
function for lookup_addr but seeing
-   when ( local MHR_result = lookup_hostname_txt(hash_domain) )

Is this also related with dns lookup?

Thanks,
SJ

On Tue, Oct 24, 2017 at 3:45 PM, Seth Hall <seth at corelight.com> wrote:

> That script should only run if you are turning some notices into alarms.
> I suspect that the look ups you are seeing are due to something else.  The
> two primary scripts that are probably causing DNS lookups are:
>         policy/protocols/ssh/interesting-hostnames.bro
>         policy/frameworks/files/detect-MHR.bro
>
>   .Seth
>
>
> On 24 Oct 2017, at 13:13, SJ Lee wrote:
>
> Hello,
>>
>> Looking at reverse dns record, seeing a lot of record from the IDS sensor
>> nodes.
>> And found  bro calling lookup_addr function in few files.
>>
>> I was trying to disable all lookup_addr function, but below files not able
>> to disable due to dependency issue.
>>
>> Is here my question, is there any easy way to disable lookup_addr
>> function?
>> OR  restrict  internal dns db ONLY not want to hit external dns server, is
>> there any way can do this?
>>
>>
>> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when
>> ( local h1name = lookup_addr(h1) )
>> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when ( local h2name = lookup_addr(h2) )
>> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when ( local h2name_ = lookup_addr(h2) )
>>
>> 2) /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr:
>> function(host: addr ) : string ;
>>
>> Thanks,
>> SJ
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171024/2a67503f/attachment.html

More information about the Bro mailing list