On Fri, Jan 23, 2015 at 7:08 AM, ZaNN <[email protected]> wrote: > Hi list, > > I have not found in the docs if it's possible to show in the alert e-mail > the reverse lookup instead of the IP. In my environmnet I set up geoip, > however when an internal address is decoded RFC 1918 is show instead (which > is correct!). > > Example: > > Rule: 31533 fired (level 10) -> "High amount of POST requests in a small > period of time (likely bot)." > Src Location: RFC1918 IP > Portion of the log(s): > > 10.0.32.179 - - [23/Jan/2015:11:52:13 +0000] "POST > /uploads.js?attachment_id=8& > > In these cases where RFC1918 IP is shown it is interesting for us to show > the reverse DNS in order to know the responsible for that workstation or at > least the location inside the internal network. > > Is it already coded in OSSEC? > If not, where should I start taking a look (into the code)? >
This is not an option, and because dns lookups would probably block alerting during the lookup, I don't see it happening. > Thank you > > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
