Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Third Party Tools » BASE - Resolve IP

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

BASE - Resolve IP


Posted by diaskimo on June 27, 2005 02:55:29

I got the "Unable to resolve address" message in FQDN field when source/destination IP is foreign address.
I have set an internal DNS IP in the /etc/resolv.conf, and setting $resolve_IP to 1 in the base_config.php .

How to set my BASE and resolve.conf?

Posted by SecureIdeas on June 27, 2005 03:10:05

Are you able to resolve the same ip address if you are on the box running BASE?

Kevin

Posted by diaskimo on June 27, 2005 09:42:55

I am sorry. I revised my question.
I can't resolve IP address when the address is a local private IP rather than foreign IP address.

How to solve this problem?

Thank you for your help.

Dias

Posted by chris on June 29, 2005 00:26:37

Hi dia, are you running any DNS servers on your network ?
you'll need some kind of DNS service on your network to look after the private address resolution.
Either the MS version that comes with the server versions of the OS, or BIND, which I believe is common on most *nix OS distributions.

Posted by diaskimo on June 29, 2005 08:19:26

Hi, chris:

I have a DNS server on my network but I still can't resolve any private IP. :(

/etc/resolve.conf: nameserver 192.168.0.9
BASE conf: $resolve_IP = 1;

Thank you very much for your help.


Dias

Posted by chris on June 29, 2005 12:04:25

mm, Interesting, have you tried using nslookup, on the box running BASE, as Kevin suggested to confirm DNS resolution is working correctly ?

Posted by diaskimo on June 29, 2005 22:39:12

When I used the nslookup to confirm my DNS resolution.

I got result as following:

Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> 192.168.0.152
Server: 192.168.0.9
Address: 192.168.0.9#53

152.0.168.192.in-addr.arpa name = peter.xxx.com


I still can't resolve private IP adress in BASE.


Dias

Posted by chris on July 04, 2005 03:57:56

Hi Dias, which page on the BASE console are you viewing when you get the message that the IP addresses can't be rsolved ?

Posted by diaskimo on July 04, 2005 17:30:05

Hi, chris

I got the message in BASE which are base_stat_uaddr.php, base_qry_alert.php, base_stat_ipaddr.php, ...

Thank you very much.


Dias

Posted by chris on July 05, 2005 02:42:42

Hi Dias, I've been able to replicate the problem partially - I think ;-)
Can you resolve *all* external IP addresses to FQDNs ?
There are some external addresses I've not been able to resolve, but only because there was no reverse DNS set for those addresses.
I guess then perhaps you might have to look at reverse DNS resolution on your network, but I hesitate to suggest that this might be the problem, I was hoping that Kevin, from sourcefire, might have some suggestions as to a resolution to your problem as at the moment, I'm unsure *exactly* where your problem lies, but I think it's the reverse DNS.
Cheers,
Chris

Posted by diaskimo on July 05, 2005 08:38:50

Hi Chris,
I can resolve a great part of external IP address to FQDNs.
I think I have to look at reverse DNS resulution on my network.

Thank you for your help. That's very nice of you. :)


Dias

Posted by chris on July 05, 2005 15:23:36

Your welcome, if you need more help, don't hesitate to write..
Cheers
chris ;-)

Posted by mykol_j on April 24, 2007 05:01:27

I know this is an old post -- but I keep hitting on it when I search for my issue -- just like in this post, I cannot get BASE to resolve local IP names. Yes, the box can, and does, see and resolve names. I just figured there was a setting in a .conf file somewhere that told it to do the name resolution, but I can't seem to locate it. I understand the recommendations of not putting that task on the sensor, certainly that's something post-processing can do.?

The end of this chain of posts was kind of lacking, there never really was a resolution to this question of resolution, so to speak... :-0

Thanks.
~myk
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.