Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.
And found bro calling lookup_addr function in few files.
I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.
Is here my question, is there any easy way to disable lookup_addr function?
OR restrict internal dns db ONLY not want to hit external dns server, is there any way can do this?
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h1name = lookup_addr(h1) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name = lookup_addr(h2) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name_ = lookup_addr(h2) )
Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.
And found bro calling lookup_addr function in few files.
Set the BRO_DNS_FAKE environment variable and bro will not use real dns..
I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.
Is here my question, is there any easy way to disable lookup_addr function?
OR restrict internal dns db ONLY not want to hit external dns server, is there any way can do this?
Bro will use whatever servers are configured in /etc/resolv.conf
1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h1name = lookup_addr(h1) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name = lookup_addr(h2) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name_ = lookup_addr(h2) )
From that script:
##! Notice extension that mails out a pretty-printed version of alarm.log
##! in regular intervals, formatted for better human readability. If activated,
##! that replaces the default summary mail having the raw log output.
That script should only run if you are turning some notices into alarms. I suspect that the look ups you are seeing are due to something else. The two primary scripts that are probably causing DNS lookups are:
policy/protocols/ssh/interesting-hostnames.bro
policy/frameworks/files/detect-MHR.bro