Snort mailing list archives

RE: Tracking internal users with snort

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 7 Feb 2002 09:59:24 -0500

Peter,

The one thing that "should" remain static is the client's MAC address, that
is of course until they move to another machine.  You may want to look into
using BPF expressions in combination with a snort process...

i.e....

snort <options> ether host XX:XX:XX:XX:XX:XX (or use -F switch with BPF
file)

I've used this to temporally track suspect users in the past.  More details
can be found in the snort man page...

- Jeff


-----Original Message-----
From: Nikitser, Peter [mailto:peter_nikitser () yahoo com au]
Sent: Thursday, February 07, 2002 12:59 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Tracking internal users with snort


Hi,

I've scanned the archives and read the User Manual, but couldn't find
an answer to the challenge I have at present.

I have been asked if it is possible to track certain individuals
within the organisation I'm currently contracting to.  These users
have the IP number assigned via DHCP, and S2.2.3 of the User Manual
states that name resolution is not supported, so it looks like IP
numbers are what I'll have to use.

Some scenarios we've thought of are:

  1) the user may have their IP address changed via DHCP, e.g. they
go on holidays;
  2) they purposefully use another PC to avoid detection

A solution I've thought of, is using statically assigned MAC -> IP
address via DHCP.  This solution obviously falls outside the scope of
snort, but can snort be configured to track packet payloads with user
credentials or hostnames?  Has anybody tackled something like this
before?

Thanks, Peter.

=====


http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your Valentines love online.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tracking internal users with snort Nikitser, Peter (Feb 06)
- <Possible follow-ups>
- RE: Tracking internal users with snort Wirth, Jeff (Feb 07)