Enable static hostname mapping without reverse DNS lookups #14894
-
|
Security Onion currently requires enabling reverse DNS lookups to utilize the IP mapping feature. This design creates a potential information leakage concern in some environments. There should be a way to provide static IP-to-hostname mappings without relying on or enabling reverse DNS resolution. Additionally, performing a reverse DNS lookup on an external IP can reveal to a threat actor that their IP address has been investigated. It might also be interesting to add the ability to define IP address ranges with a name (like guest wifi network, office wired,....). Revelant docs : https://docs.securityonion.net/en/2.4/soc-customization.html#reverse-dns |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Depending on what data, say your example above of IP address ranges to a name, you could set up and Elasticsearch enrich policy to do that. https://www.elastic.co/docs/manage-data/ingest/transform-enrich/example-enrich-data-by-matching-value-to-range |
Beta Was this translation helpful? Give feedback.
-
|
This option seems a little complicated to set up compared to the txt file, but I'll give it a try anyway, thank you! |
Beta Was this translation helpful? Give feedback.
-
|
I've also created an issue to track breaking the two features into separate enable|disable options. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, that's what I was looking for ! |
Beta Was this translation helpful? Give feedback.
I've also created an issue to track breaking the two features into separate enable|disable options.
#14900