Snort mailing list archives
RE: Tying alerts to hostnames?
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Tue, 18 Jun 2002 10:08:05 -0400
On my Windows network @home I simply set my sniffer box to use the DHCP server as it's primary DNS server and it matches hostnames locally quite nicely. JOhn -----Original Message----- From: John Sage [mailto:jsage () finchhaven com] Sent: Monday, June 17, 2002 11:58 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Tying alerts to hostnames? Scott: On Mon, Jun 17, 2002 at 03:05:32PM -0500, Scott Phippen wrote:
Is it possible for Snort to resolve and log the hostname in addition to
the
IP address at the time an alert is triggered? On a network where IPs
leases
are changing as workstations come on and off the network, logging just the IP makes it difficult to trace back alerts (in particular some of the policy.rules) to the correct workstation. If not, maybe someone could
offer
some suggestions on how they are tying the alerts to particular users/workstations in a DHCP environment where leases change frequently. Thanks in advance!!! Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.
um... oops. Despite your getting two "nopes" from the inestimable Chris Green and Erek Adams, I was going to suggest that you might be able to get close to what you need with Dan Swan's snort2html.pl -- see: http://www.memeticcandiru.com/software/snort2html But then I noticed that you're on Window$ and I think my answer just became "nope", too.. Just for the record, snort2html.pl reads alerts out of /var/log/syslog on Linux and writes to a web page. Dan's script does do host name lookups from the IP's; if you did a real fast refresh rate it'd be kinda close-ish to real time, kinda.. 'course it's rebuilding the web page from zero at each refresh, so when it gets biggish, you might end up trying to refresh before you had all the names resolved. I was refreshing once a minute, and it would handle several hundred alerts with no sweat; then again, name resolution was coming from my local, caching-only nameserver, so I only had to go to the outside world once for each new IP... Never mind. I'll stop babbling, now. - John -- "You are in a little maze of twisty passages, all different." PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tying alerts to hostnames? Scott Phippen (Jun 17)
- Re: Tying alerts to hostnames? Chris Green (Jun 17)
- Re: Tying alerts to hostnames? Erek Adams (Jun 17)
- Re: Tying alerts to hostnames? John Sage (Jun 17)
- Re: Tying alerts to hostnames? - Windowz Tools Scot Scot (Jun 18)
- <Possible follow-ups>
- RE: Tying alerts to hostnames? Hicks, John (Jun 18)