[Snort-users] Tying alerts to hostnames?

Scott Phippen ScottPhippen at ...2883...
Mon Jun 17 13:06:07 EDT 2002


Is it possible for Snort to resolve and log the hostname in addition to the
IP address at the time an alert is triggered? On a network where IPs leases
are changing as workstations come on and off the network, logging just the
IP makes it difficult to trace back alerts (in particular some of the
policy.rules) to the correct workstation. If not, maybe someone could offer
some suggestions on how they are tying the alerts to particular
users/workstations in a DHCP environment where leases change frequently.
Thanks in advance!!!

Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.

Scott






More information about the Snort-users mailing list