Question about disable lookup_addr

Zeek
1

Hello,

Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.

And found bro calling lookup_addr function in few files.

I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.

Is here my question, is there any easy way to disable lookup_addr function?
OR restrict internal dns db ONLY not want to hit external dns server, is there any way can do this?

  1. /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h1name = lookup_addr(h1) )
    /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name = lookup_addr(h2) )
    /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name_ = lookup_addr(h2) )

  2. /opt/bro/share/bro/base/bif/bro.bif.bro:global lookup_addr: function(host: addr ) : string ;

Thanks,
SJ

2

Hello,

Looking at reverse dns record, seeing a lot of record from the IDS sensor nodes.
And found bro calling lookup_addr function in few files.

Set the BRO_DNS_FAKE environment variable and bro will not use real dns..

I was trying to disable all lookup_addr function, but below files not able to disable due to dependency issue.

Is here my question, is there any easy way to disable lookup_addr function?
OR restrict internal dns db ONLY not want to hit external dns server, is there any way can do this?

Bro will use whatever servers are configured in /etc/resolv.conf

1) /opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h1name = lookup_addr(h1) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name = lookup_addr(h2) )
/opt/bro/share/bro/base/frameworks/notice/actions/pp-alarms.bro: when ( local h2name_ = lookup_addr(h2) )

From that script:

##! Notice extension that mails out a pretty-printed version of alarm.log
##! in regular intervals, formatted for better human readability. If activated,
##! that replaces the default summary mail having the raw log output.

@load base/frameworks/cluster
@load ../main

module Notice;

export {
    ## Activate pretty-printed alarm summaries.
    const pretty_print_alarms = T &redef;

So, that is easily disabled.

3

Hello Justin,

Thank you for your quick response mail.

Bro will use whatever servers are configured in /etc/resolv.conf

=> Good to know this. Thank you.

export {

Activate pretty-printed alarm summaries.

const pretty_print_alarms = T &redef;

=> easily disabled, means instead of using T, I can set up F, than disable this feature?

Thanks,

SJ

4

That script should only run if you are turning some notices into alarms. I suspect that the look ups you are seeing are due to something else. The two primary scripts that are probably causing DNS lookups are:
  policy/protocols/ssh/interesting-hostnames.bro
  policy/frameworks/files/detect-MHR.bro

   .Seth

5

Hello Seth,

I checked policy/frameworks/files/detect-MHR.bro, but does not able to fine function for lookup_addr but seeing

  • when ( local MHR_result = lookup_hostname_txt(hash_domain) )

Is this also related with dns lookup?

Thanks,

SJ

6

Yep. All of the DNS related functions are:
  lookup_addr
  lookup_hostname_txt
  lookup_hostname

  .Seth

7

Thank you Seth, this helps me a lot.

–SJ