Snort mailing list archives

Re: Tying alerts to hostnames?

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 17 Jun 2002 13:15:44 -0700 (PDT)

On Mon, 17 Jun 2002, Scott Phippen wrote:

Is it possible for Snort to resolve and log the hostname in addition to the
IP address at the time an alert is triggered?


Nope.

On a network where IPs leases
are changing as workstations come on and off the network, logging just the
IP makes it difficult to trace back alerts (in particular some of the
policy.rules) to the correct workstation. If not, maybe someone could offer
some suggestions on how they are tying the alerts to particular
users/workstations in a DHCP environment where leases change frequently.
Thanks in advance!!!


Match via the MAC of the boxes.  Config you DHCP server to serve static IP's
based upon MAC's.  Granted that sorta seems be conunter-intuitive on a DHCP
network, but it works very well.

Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.


Ugh.  Might want to consider an update to 1.8.6 or 1.8.7--once it's out of
beta.  There's been a ton of fixes and features added since 1.8.3.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Tying alerts to hostnames? Scott Phippen (Jun 17)
- Re: Tying alerts to hostnames? Chris Green (Jun 17)
- Re: Tying alerts to hostnames? Erek Adams (Jun 17)
- Re: Tying alerts to hostnames? John Sage (Jun 17)
  - Re: Tying alerts to hostnames? - Windowz Tools Scot Scot (Jun 18)
- <Possible follow-ups>
- RE: Tying alerts to hostnames? Hicks, John (Jun 18)