[Snort-users] Tying alerts to hostnames?
erek at ...577...
Mon Jun 17 13:16:10 EDT 2002
On Mon, 17 Jun 2002, Scott Phippen wrote:
> Is it possible for Snort to resolve and log the hostname in addition to the
> IP address at the time an alert is triggered?
> On a network where IPs leases
> are changing as workstations come on and off the network, logging just the
> IP makes it difficult to trace back alerts (in particular some of the
> policy.rules) to the correct workstation. If not, maybe someone could offer
> some suggestions on how they are tying the alerts to particular
> users/workstations in a DHCP environment where leases change frequently.
> Thanks in advance!!!
Match via the MAC of the boxes. Config you DHCP server to serve static IP's
based upon MAC's. Granted that sorta seems be conunter-intuitive on a DHCP
network, but it works very well.
> Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.
Ugh. Might want to consider an update to 1.8.6 or 1.8.7--once it's out of
beta. There's been a ton of fixes and features added since 1.8.3.
More information about the Snort-users