[Snort-users] Tracking internal users with snort

Wirth, Jeff WirthJe at ...4876...
Thu Feb 7 07:00:12 EST 2002


The one thing that "should" remain static is the client's MAC address, that
is of course until they move to another machine.  You may want to look into
using BPF expressions in combination with a snort process...


snort <options> ether host XX:XX:XX:XX:XX:XX (or use -F switch with BPF

I've used this to temporally track suspect users in the past.  More details
can be found in the snort man page...

- Jeff

-----Original Message-----
From: Nikitser, Peter [mailto:peter_nikitser at ...3162...]
Sent: Thursday, February 07, 2002 12:59 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Tracking internal users with snort


I've scanned the archives and read the User Manual, but couldn't find
an answer to the challenge I have at present.

I have been asked if it is possible to track certain individuals
within the organisation I'm currently contracting to.  These users
have the IP number assigned via DHCP, and S2.2.3 of the User Manual
states that name resolution is not supported, so it looks like IP
numbers are what I'll have to use.

Some scenarios we've thought of are:

  1) the user may have their IP address changed via DHCP, e.g. they
go on holidays;
  2) they purposefully use another PC to avoid detection

A solution I've thought of, is using statically assigned MAC -> IP
address via DHCP.  This solution obviously falls outside the scope of
snort, but can snort be configured to track packet payloads with user
credentials or hostnames?  Has anybody tackled something like this

Thanks, Peter.


http://greetings.yahoo.com.au - Yahoo! Greetings
- Send your Valentines love online.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list