[Snort-users] Secure - NSLOOKUP

Jason Haar Jason.Haar at ...294...
Thu Jan 18 16:05:44 EST 2001


On Thu, Jan 18, 2001 at 02:53:48PM -0500, Joseph Hager wrote:
> I use snort to log internal and not so much external activities.  The major
> advantage to doing lookups on the fly is because in a DHCP network where
> users can have a different IP today from the one they were assigned a month
> ago.. it would be nice to know who that user was if I'm going through older
> logs and see something that I might not have caught originally.  WINS
> lookups will also be useful.

You need to do what I do. I almost exclusively use ACID to monitor my snort
data. It does the DNS lookups for you, so if your site does DDNS, you're
sweet.

If it doesn't, and you want WINS lookups, then ACID is pretty easy to edit.
Edit acid_stat_ipaddr.php and href a CGI doing WINS lookups in a similar way
to the WHOIS lookup ACID already does.

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list