Display Source/Destination IP as DNS Host Name instead of IP Address

[itsCodyBo]

Hello, I tried searching for this in previous issues but my apologies if it has already been discussed.

I was wondering if it would be at all possible to modify my local instance of EveBox in such a way that instead of showing the actual Source/Destination IP address of the captured events we could instead display the DNS host name that the IP address resolves to.

I'm currently running EveBox in conjunction with Selks-5.0 and I have a large network with a lot of traffic so this would be hugely beneficial to me. Has a feature like this been previously discussed or would it be practical to implement this on my own?

Thanks, love the product!

[jasonish]

Unfortunately don't think this is very feasable. The lookup of this info, when generating the inbox page for example would kill performance - assuming we're using the DNS log records for resolution. Also, multiple hostnames can map to a single IP, which makes it too ambiguous in my opinion.

Something I've played with in the past is pulled in related DNS records in the event display page. But you'd have to click on the event to see that info. I may look back into this.

[mtoupsUNO]

I understand the performance issue of so many DNS queries, but what I'd like to see is a way to match just IP addresses on my end to names which are meaningful to me.

Using a file like /etc/hosts to map those to names would be fast and would make it much easier to scan Evebox for certain hosts I'm looking for. If there was an option to provide a hosts file for my most common IP addresses, that would help me a lot. Thanks!