Snort mailing list archives

Re: Tying alerts to hostnames?

From: Chris Green <cmg () sourcefire com>
Date: Mon, 17 Jun 2002 16:15:04 -0400

"Scott Phippen" <ScottPhippen () vitalworks com> writes:

Is it possible for Snort to resolve and log the hostname in addition to the
IP address at the time an alert is triggered?


Nope.

On a network where IPs leases are changing as workstations come on
and off the network, logging just the IP makes it difficult to trace
back alerts (in particular some of the policy.rules) to the correct
workstation. If not, maybe someone could offer some suggestions on
how they are tying the alerts to particular users/workstations in a
DHCP environment where leases change frequently.  Thanks in
advance!!!


Whenever one implements DHCP leases on a network, they should take the
time to actually have scripts that can search through the leases for a
particular user for correlation purposes.
-- 
Chris Green <cmg () sourcefire com>
To err is human, to moo bovine.

_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tying alerts to hostnames? Scott Phippen (Jun 17)
- Re: Tying alerts to hostnames? Chris Green (Jun 17)
- Re: Tying alerts to hostnames? Erek Adams (Jun 17)
- Re: Tying alerts to hostnames? John Sage (Jun 17)
  - Re: Tying alerts to hostnames? - Windowz Tools Scot Scot (Jun 18)
- <Possible follow-ups>
- RE: Tying alerts to hostnames? Hicks, John (Jun 18)