[Bro] Question about disable lookup_addr
SJ Lee
bluebike.sjlee at gmail.com
Tue Oct 24 13:26:50 PDT 2017
Hello Seth,
I checked policy/frameworks/files/detect-MHR.bro, but does not able to fine
function for lookup_addr but seeing
- when ( local MHR_result = lookup_hostname_txt(hash_domain) )
Is this also related with dns lookup?
Thanks,
SJ
On Tue, Oct 24, 2017 at 3:45 PM, Seth Hall <seth at corelight.com> wrote:
> That script should only run if you are turning some notices into alarms.
> I suspect that the look ups you are seeing are due to something else. The
> two primary scripts that are probably causing DNS lookups are:
> policy/protocols/ssh/interesting-hostnames.bro
> policy/frameworks/files/detect-MHR.bro
>
> .Seth
>
>
> On 24 Oct 2017, at 13:13, SJ Lee wrote:
>
> Hello,
>>
>> Looking at reverse dns record, seeing a lot of record from the IDS sensor
>> nodes.
>> And found bro calling lookup_addr function in few files.
>>
>> I was trying to disable all lookup_addr function, but below files not able
>> to disable due to dependency issue.
>>
>> Is here my question, is there any easy way to disable lookup_addr
>> function?
>> OR restrict internal dns db ONLY not want to hit external dns server, is
>> there any way can do this?
>>
>>
>> 1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when
>> ( local h1name = lookup_addr(h1) )
>> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when ( local h2name = lookup_addr(h2) )
>> /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro:
>> when ( local h2name_ = lookup_addr(h2) )
>>
>> 2) /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr:
>> function(host: addr ) : string ;
>>
>> Thanks,
>> SJ
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171024/2a67503f/attachment.html
More information about the Bro
mailing list