Snort mailing list archives
RE: Tracking internal users with snort
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 7 Feb 2002 09:59:24 -0500
Peter, The one thing that "should" remain static is the client's MAC address, that is of course until they move to another machine. You may want to look into using BPF expressions in combination with a snort process... i.e.... snort <options> ether host XX:XX:XX:XX:XX:XX (or use -F switch with BPF file) I've used this to temporally track suspect users in the past. More details can be found in the snort man page... - Jeff -----Original Message----- From: Nikitser, Peter [mailto:peter_nikitser () yahoo com au] Sent: Thursday, February 07, 2002 12:59 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Tracking internal users with snort Hi, I've scanned the archives and read the User Manual, but couldn't find an answer to the challenge I have at present. I have been asked if it is possible to track certain individuals within the organisation I'm currently contracting to. These users have the IP number assigned via DHCP, and S2.2.3 of the User Manual states that name resolution is not supported, so it looks like IP numbers are what I'll have to use. Some scenarios we've thought of are: 1) the user may have their IP address changed via DHCP, e.g. they go on holidays; 2) they purposefully use another PC to avoid detection A solution I've thought of, is using statically assigned MAC -> IP address via DHCP. This solution obviously falls outside the scope of snort, but can snort be configured to track packet payloads with user credentials or hostnames? Has anybody tackled something like this before? Thanks, Peter. ===== http://greetings.yahoo.com.au - Yahoo! Greetings - Send your Valentines love online. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tracking internal users with snort Nikitser, Peter (Feb 06)
- <Possible follow-ups>
- RE: Tracking internal users with snort Wirth, Jeff (Feb 07)