[Snort-users] Tying alerts to hostnames? - Windowz Tools

Scot Scot scotw at ...125...
Tue Jun 18 06:55:10 EDT 2002


ping -a <ipaddr>  will perform a IP to Host resolution.

The perl script mentioned below should run fine on Windowz, just go out and
download ActivePerl.

http://www.activestate.com/Products/Download/Get.plex?id=ActivePerl

Also if you like TCL, you can throw together a "Tickle" script to grab the
ip and perform a host lookup.

http://www.activestate.com/Products/Download/Get.plex?id=ActiveTcl

You can get a windows binary of host and whois from (plus a lot of other
tools):

http://www.cmdtools.com/

Select the file: INET32UT.ZIP

Also for those Windowz users out there, you can get many more binaries that
have been ported from the *nix platform at:

http://sourceforge.net/projects/gnuwin32/


----- Original Message -----
From: "John Sage" <jsage at ...2022...>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, June 17, 2002 10:57 PM
Subject: Re: [Snort-users] Tying alerts to hostnames?


> Scott:
>
> On Mon, Jun 17, 2002 at 03:05:32PM -0500, Scott Phippen wrote:
> >
> > Is it possible for Snort to resolve and log the hostname in addition to
the
> > IP address at the time an alert is triggered? On a network where IPs
leases
> > are changing as workstations come on and off the network, logging just
the
> > IP makes it difficult to trace back alerts (in particular some of the
> > policy.rules) to the correct workstation. If not, maybe someone could
offer
> > some suggestions on how they are tying the alerts to particular
> > users/workstations in a DHCP environment where leases change frequently.
> > Thanks in advance!!!
> >
> > Running Snort 1.8.3/MySQL 3.23.43/Acid 0.9.6b17 on Win2000.
>
> um...  oops.
>
> Despite your getting two "nopes" from  the inestimable Chris Green and
> Erek Adams, I was going to suggest that you might be able to get close
> to what you need with Dan Swan's snort2html.pl -- see:
>
> http://www.memeticcandiru.com/software/snort2html
>
> But then I noticed that you're on Window$ and I think my answer just
> became "nope", too..
>
> Just for the record, snort2html.pl reads alerts out of /var/log/syslog
> on Linux and writes to a web page. Dan's script does do host name
> lookups from the IP's; if you did a real fast refresh rate it'd be
> kinda close-ish to real time, kinda..
>
> 'course it's rebuilding the web page from zero at each refresh, so
> when it gets biggish, you might end up trying to refresh before you
> had all the names resolved.
>
> I was refreshing once a minute, and it would handle several hundred
> alerts with no sweat; then again, name resolution was coming from my
> local, caching-only nameserver, so I only had to go to the outside
> world once for each new IP...
>
>
> Never mind. I'll stop babbling, now.
>
>
> - John
> --
> "You are in a little maze of twisty passages, all different."
>
> PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
> Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
>
> --------------------------------------------------------------------------
--
>                    Bringing you mounds of caffeinated joy
>                       >>>     http://thinkgeek.com/sf    <<<
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list