Open zenire opened 6 years ago
Waseem-farooqui
commented
5 years ago You mean reverse IP lookup for the attackers IP. There are lot of things that people wants to see like GeoLocation of the IP address its possible but add another layer for the enriching of the attacks.
kuqadk3
commented
5 years ago @Waseem-farooqui i think he mean when we found an IP in logs or file, we want to reverse it back to domain name. Let say 127.0.0.1 => google.com
zenire
commented
5 years ago That is right @kuqadk3
We are already peforming GeoIP lookips in our Elastic Logstash pipeline, but reverse DNS is something that has to be done on the dionaea device.
The server with dionaea can perform dns lookups to the DNS server in the network. It can get the reverse dns for local clients. We can’t get a result of doing a reverse dns lookup for 192.168.1.2 at the logstash pipeline.
ISSUE TYPE
DESCRIPTION
Add the ability to enable Reverse DNS lookups. At the moment an incident contains the IP of the attacker. We would also like to see the Reverse DNS of the attacker.
We can lookup the reverse DNS afterwards in Elasticsearch or in the logstash pipeline, but we need to use the local DNS servers of the device which runs Dionaea in order to see the internal reverse DNS/hostnames.