Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question on mapping net IPs to hosts

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 28 Jul 2004 11:38:29 -0400
At 10:30 PM 7/27/2004, jeffs () speakeasy net wrote:

Assuming one is monitoring an internal net of say 10.0.0.0/24 and getting
logs and alerts for a bunch of hosts which are dynamically assigned their
ip number.  How do people in this group go about mapping those dynamically
assigned IPs to actual machines with the purpose of tracking down malware
or whatever on those individual host machines, since these IP numbers are
dynamic and ever changing.


There's several ways, but I usually start by back-tracking the MAC address:
First, get the mac address of the offending machine: (be sure to make use of the time of alert to resolve possible duplicates)
1) use your DHCP server logs to correlate an IP address to a MAC address. 2) use arpwatch to keep track of IP address and MAC pairings and use it's logs.
Once you've got that you can start working back where the unit is. You can track what IP it has now, by searching the logs for the MAC, or if you have a managed switch you may be able to check the MAC tables of that. 





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: