Obviously, this is coming up in reference to Code Red logs, but it applies in general. Some of the logs we're getting, I believe mostly web logs, log the hostname, and not the IP address. As I'm going through and correlating the logs, this creates a problem. Now, I'm not writing to complain, but rather warn. If you're logging only reverse DNS names, and not also the IP addresses, then you are throwing away information. As most people know, one can pick an arbitrary reverse name for in-addr.arpa netblocks under one's control. So, if you query an IP address for the name, and get back www.whitehouse.gov, and only store that, then you now have no idea what IP address attacked you. This comes up especially when you are trying to report incidents. For example, 9 out of 10 of the hostnames I just tried to turn back into an IP didn't work, no host by that name. If I were to try and mail that to the (apparant) domain contact, they wouldn't be able to do anything about it. Again, just trying to point out to people that they should be careful about what they log. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 10:46:27 PDT