Sguil: disable DNS lookups in pcap transcripts

[dougburks]

No description provided.

[dougburks]

Default to having DNS lookups disabled, but allow the user to enable them by setting the following in /etc/nsm/securityonion/sguild.conf:

set TRANSCRIPT_DNS_LOOKUP 1

To do this, make the following changes to the GenerateXscript and GenerateBroscript functions in /usr/lib/sguild/SguildTranscript.tcl:

add TRANSCRIPT_DNS_LOOKUP to global transInfoArray

if { [info exists TRANSCRIPT_DNS_LOOKUP] && $TRANSCRIPT_DNS_LOOKUP == "1" } {
catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP\t([GetHostbyAddr $srcIP])"]}
catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP\t([GetHostbyAddr $dstIP])"]}
} else {
catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP"]}
catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP"]}
}

[dougburks]

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/bq0J225LhoI/discussion

[dougburks]

published:
http://blog.securityonion.net/2018/01/securityonion-sguil-20141004.html