Snort reverse lookup icon



  • @meeks
    I have noticed the blue information Icon for reverse lookup opens in the same window. This is the same for Pfsense Firewall logs etc…..

    Would it pose a security risk if it opened up in a new window rather than the existing window? I'm thinking it would be like opening up a new session of the admin page?

    If their is no security risk, could you make this change in the next release?



  • @Clear-Pixel:

    @meeks
    I have noticed the blue information Icon for reverse lookup opens in the same window. This is the same for Pfsense Firewall logs etc…..

    Would it pose a security risk if it opened up in a new window rather than the existing window? I'm thinking it would be like opening up a new session of the admin page?

    If their is no security risk, could you make this change in the next release?

    The next release will duplicate exactly the way the reverse DNS lookup icons work in the firewall logs.  There will be two icons.  One opens a quick pop-up dialog window, and the other opens the Diagnostics…DNS page.  This is only true on pfSense 2.1 and higher, though.  Apparently the DNS lookup code on 2.0.x does not implement the dialog output option.  At least that's what I observed in my testing of the new Snort package.  So if you have 2.0.x pfSense, you get the current DNS lookup behavior.  If you have 2.1 or higher, then you get the new behavior.

    I have submitted the update for 2.9.5.6 of the Snort binary.  Once it is confirmed to build a package correctly, then I will submit an update to the Snort GUI to version 3.0.3.  That will include the new reverse DNS feature along with two other asked-for features:  (1) the ability to manage all rules both regular and decoder/preprocessor text rules, (2) the ability to force-disable a rule from the ALERTS tab.

    Bill



  • Why is it often times many IP's are missing the reverse DNS info?

    Is it a DNS server with a poorly compiled DNS list?

    It would seem the IP would be out of compliance if no Name was attached?



  • @Clear-Pixel:

    Why is it often times many IP's are missing the reverse DNS info?

    Is it a DNS server with a poorly compiled DNS list?

    It would seem the IP would be out of compliance if no Name was attached?

    There are a fairly significant number of the "spammer" and other blacklisted IPs that do not resolve via DNS lookups.  Not really surprising when you realize these guys don't want to be found… ;)

    Bill


Log in to reply