[Snort-users] Tying alerts to hostnames?
cmg at ...1935...
Mon Jun 17 13:16:06 EDT 2002
"Scott Phippen" <ScottPhippen at ...2883...> writes:
> Is it possible for Snort to resolve and log the hostname in addition to the
> IP address at the time an alert is triggered?
> On a network where IPs leases are changing as workstations come on
> and off the network, logging just the IP makes it difficult to trace
> back alerts (in particular some of the policy.rules) to the correct
> workstation. If not, maybe someone could offer some suggestions on
> how they are tying the alerts to particular users/workstations in a
> DHCP environment where leases change frequently. Thanks in
Whenever one implements DHCP leases on a network, they should take the
time to actually have scripts that can search through the leases for a
particular user for correlation purposes.
Chris Green <cmg at ...1935...>
To err is human, to moo bovine.
More information about the Snort-users