Snort mailing list archives
Re: Snort X MAC (Who is who?)
From: "Alex Rodrigues" <alex () bsbnet com>
Date: Mon, 10 Dec 2001 15:37:44 -0200
I have the same question about netbios names. We use DHCP and I wish to know if snort can log IP address and Mac Address. My idea is to make a table with all my internal mac's and the users. My problem is to know who is who 2 or 3 days after the attack or suspicious traffic. Any good idea about ir? Thanks. Alex ----- Original Message ----- From: "Brian Ertel" <bsertel () amherst edu> To: <snort-users () lists sourceforge net> Sent: Monday, December 10, 2001 2:26 PM Subject: RE: [Snort-users] NetBios Names Thank you Chris ---------------------------------- Brian Ertel Systems & Networking Amherst College Voice: 413-542-8320 Fax: 413-542-2626 bsertel () amherst edu ---------------------------------- -----Original Message----- From: Chris Green [mailto:cmg () uab edu] Sent: Monday, December 10, 2001 8:27 AM To: Brian Ertel Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] NetBios Names Brian Ertel <bsertel () amherst edu> writes:
Hello All, Does anyone know how to config Snort to return NetBios names of offenders. It is obviose how to get the IP, and MAC addresses, but I haven't seen anything on getting the NetBios name?
Getting the NETBIOS name would require snort to stop what it's doing, and then try and ask the machine in question it's name, wait for it to time, and then get back to what it was doing. DNS or Name lookups isn't something snort is going to do out of the box. If you need this information ( perferably for only a few specific rules ), you are best off writing something with swatch and nmblookup. I would be very hesitant to turn this on for things not in my network as well because the last thing you need is handling abuse reports from people thinking your IDS sensor has a windows share worm. -- Chris Green <cmg () uab edu> Let not the sands of time get in your lunch. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NetBios Names Brian Ertel (Dec 10)
- Re: NetBios Names Chris Green (Dec 10)
- <Possible follow-ups>
- RE: NetBios Names Brian Ertel (Dec 10)
- Re: NetBios Names ed.davis (Dec 10)
- RE: NetBios Names Brian Ertel (Dec 10)
- Re: Snort X MAC (Who is who?) Alex Rodrigues (Dec 10)
- Re: Re: Snort X MAC (Who is who?) Chris Green (Dec 10)
- Re: Snort X MAC (Who is who?) Alex Rodrigues (Dec 10)