[Snort-users] Tying alerts to hostnames?

Erek Adams erek at ...577...
Mon Jun 17 13:16:10 EDT 2002

On Mon, 17 Jun 2002, Scott Phippen wrote:

> Is it possible for Snort to resolve and log the hostname in addition to the
> IP address at the time an alert is triggered?


> On a network where IPs leases
> are changing as workstations come on and off the network, logging just the
> IP makes it difficult to trace back alerts (in particular some of the
> policy.rules) to the correct workstation. If not, maybe someone could offer
> some suggestions on how they are tying the alerts to particular
> users/workstations in a DHCP environment where leases change frequently.
> Thanks in advance!!!

Match via the MAC of the boxes.  Config you DHCP server to serve static IP's
based upon MAC's.  Granted that sorta seems be conunter-intuitive on a DHCP
network, but it works very well.

> Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.

Ugh.  Might want to consider an update to 1.8.6 or 1.8.7--once it's out of
beta.  There's been a ton of fixes and features added since 1.8.3.


Erek Adams

More information about the Snort-users mailing list