Resolving source/destination.ip

[mjakubowskilkr]

Is it possible to resolving local IPs from revDNS? How to set it up?

[dougburks]

This question could have a few different meanings. Please clarify exactly what you're trying to do.

[mjakubowskilkr]

I mean resolving my local names e.g in Alerts module – currently it shows only ip, I’ve got dns server (AD) so my local IPs are resolvable, I don’t want to resolve public IPs. From: Doug Burks ***@***.***> Sent: Wednesday, February 9, 2022 2:21 PM To: Security-Onion-Solutions/securityonion ***@***.***> Cc: mjakubowskilkr ***@***.***>; Author ***@***.***> Subject: Re: [Security-Onion-Solutions/securityonion] Resolving source/destination.ip (Discussion #7132) This question could have a few different meanings. Please clarify exactly what you're trying to do. — Reply to this email directly, view it on GitHub <#7132 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGAIK4C37N5MYQWBDI5PHN3U2JS2HANCNFSM5NXDIZMQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you authored the thread. <https://github.com/notifications/beacon/AGAIK4ENPJDZYZIQTFQJFDLU2JS2HA5CNFSM5NXDIZM2YY3PNVWWK3TUL52HS4DFWFCGS43DOVZXG2LPNZBW63LNMVXHJKTDN5WW2ZLOORPWSZGOAAQKYRQ.gif> Message ID: ***@***.*** ***@***.***> >

[dougburks]

If you have an internal web service that can resolve IP addresses to names, then you could add that web service as a custom action:
https://docs.securityonion.net/en/2.3/soc-customization.html#action-menu

Alternatively, you might be able to modify the ingest pipeline to perform the DNS lookups. However, please note that can have serious performance implications for your ingest pipeline.