[Snort-users] Tying alerts to hostnames?

Chris Green cmg at ...1935...
Mon Jun 17 13:16:06 EDT 2002


"Scott Phippen" <ScottPhippen at ...2883...> writes:

> Is it possible for Snort to resolve and log the hostname in addition to the
> IP address at the time an alert is triggered? 

Nope. 

> On a network where IPs leases are changing as workstations come on
> and off the network, logging just the IP makes it difficult to trace
> back alerts (in particular some of the policy.rules) to the correct
> workstation. If not, maybe someone could offer some suggestions on
> how they are tying the alerts to particular users/workstations in a
> DHCP environment where leases change frequently.  Thanks in
> advance!!!

Whenever one implements DHCP leases on a network, they should take the
time to actually have scripts that can search through the leases for a
particular user for correlation purposes.
-- 
Chris Green <cmg at ...1935...>
To err is human, to moo bovine.




More information about the Snort-users mailing list