[Snort-users] resolved names in logs

Erek Adams erek at ...577...
Thu Sep 20 07:40:02 EDT 2001


On Thu, 20 Sep 2001, Alex Pinheiro Machado Rodrigues wrote:

> How I can configure my snort to see at logs and alerts, resolved host
> names,not IP addresses? Is it possible?

To quote Marty on this:  "Snort will never do DNS resolution."

It really doesn't make sense to do it.  Extra CPU cycles, by doing the lookup
you might clue Mr. Hax0r that an IDS just saw him, denial of service, etc...

If you can't live without hostnames, then do some sort of post-processing.
Use a Perl script to parse the logs and convert into hostnames.  Snort-stat.pl
from the http://snort.sourcefire.com/ site will do this.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list