[Snort-users] Tying alerts to hostnames? - Windowz Tools
scotw at ...125...
Tue Jun 18 06:55:10 EDT 2002
ping -a <ipaddr> will perform a IP to Host resolution.
The perl script mentioned below should run fine on Windowz, just go out and
Also if you like TCL, you can throw together a "Tickle" script to grab the
ip and perform a host lookup.
You can get a windows binary of host and whois from (plus a lot of other
Select the file: INET32UT.ZIP
Also for those Windowz users out there, you can get many more binaries that
have been ported from the *nix platform at:
----- Original Message -----
From: "John Sage" <jsage at ...2022...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, June 17, 2002 10:57 PM
Subject: Re: [Snort-users] Tying alerts to hostnames?
> On Mon, Jun 17, 2002 at 03:05:32PM -0500, Scott Phippen wrote:
> > Is it possible for Snort to resolve and log the hostname in addition to
> > IP address at the time an alert is triggered? On a network where IPs
> > are changing as workstations come on and off the network, logging just
> > IP makes it difficult to trace back alerts (in particular some of the
> > policy.rules) to the correct workstation. If not, maybe someone could
> > some suggestions on how they are tying the alerts to particular
> > users/workstations in a DHCP environment where leases change frequently.
> > Thanks in advance!!!
> > Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.
> um... oops.
> Despite your getting two "nopes" from the inestimable Chris Green and
> Erek Adams, I was going to suggest that you might be able to get close
> to what you need with Dan Swan's snort2html.pl -- see:
> But then I noticed that you're on Window$ and I think my answer just
> became "nope", too..
> Just for the record, snort2html.pl reads alerts out of /var/log/syslog
> on Linux and writes to a web page. Dan's script does do host name
> lookups from the IP's; if you did a real fast refresh rate it'd be
> kinda close-ish to real time, kinda..
> 'course it's rebuilding the web page from zero at each refresh, so
> when it gets biggish, you might end up trying to refresh before you
> had all the names resolved.
> I was refreshing once a minute, and it would handle several hundred
> alerts with no sweat; then again, name resolution was coming from my
> local, caching-only nameserver, so I only had to go to the outside
> world once for each new IP...
> Never mind. I'll stop babbling, now.
> - John
> "You are in a little maze of twisty passages, all different."
> PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
> Bringing you mounds of caffeinated joy
> >>> http://thinkgeek.com/sf <<<
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users