Snort mailing list archives
Re: question on mapping net IPs to hosts
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 28 Jul 2004 11:38:29 -0400
At 10:30 PM 7/27/2004, jeffs () speakeasy net wrote:
Assuming one is monitoring an internal net of say 10.0.0.0/24 and getting logs and alerts for a bunch of hosts which are dynamically assigned their ip number. How do people in this group go about mapping those dynamically assigned IPs to actual machines with the purpose of tracking down malware or whatever on those individual host machines, since these IP numbers are dynamic and ever changing.
There's several ways, but I usually start by back-tracking the MAC address:First, get the mac address of the offending machine: (be sure to make use of the time of alert to resolve possible duplicates)
1) use your DHCP server logs to correlate an IP address to a MAC address. 2) use arpwatch to keep track of IP address and MAC pairings and use it's logs.
Once you've got that you can start working back where the unit is. You can track what IP it has now, by searching the logs for the MAC, or if you have a managed switch you may be able to check the MAC tables of that.
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- question on mapping net IPs to hosts jeffs (Jul 27)
- Message not available
- Re: question on mapping net IPs to hosts Matt Kettler (Jul 28)
- Message not available