Re: Snort as Network Intrusion Detection system - Help Needed

[Erek Adams <erek () snort org>]

On Tue, 4 Mar 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

[...snip...]

> Whenever it detects a scan on a port, it first tries to resolve the IP
> address vis DNS Lookup. If the IP is resolved,
> it replaces the IP with the hostname and logs.
> If the IP is not resolved, it will not query back via NetBIOS, but just
> logs the event.
>
>
> Now I would like to run SNORT as an Intrusion Detection System on my
> Linux Desktop running RedHat Linux 8.0
> with snort-1.9.0 . My Linux Box is in the LAN.
> I would also like to achieve the above functionality with snort. Please
> help in achieving this .
> What should I configure in my snort.conf file? Do I need to edit the
> rules database?
> Any guidance is appreciated.

Snort doesn't do this, as DNS lookups take time out from processing what
really matters, 'packets on the wire'.

You'll have to do something to post-process the snort logs if you really
need to see a hostname....

Besides, what's wrong with "nslookup <foo>"?  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users