[Snort-users] question on mapping net IPs to hosts

Matt Kettler mkettler at ...4108...
Wed Jul 28 08:39:24 EDT 2004


At 10:30 PM 7/27/2004, jeffs at ...1936... wrote:
>Assuming one is monitoring an internal net of say 10.0.0.0/24 and getting
>logs and alerts for a bunch of hosts which are dynamically assigned their
>ip number.  How do people in this group go about mapping those dynamically
>assigned IPs to actual machines with the purpose of tracking down malware
>or whatever on those individual host machines, since these IP numbers are
>dynamic and ever changing.

There's several ways, but I usually start by back-tracking the MAC address:

First, get the mac address of the offending machine: (be sure to make use 
of the time of alert to resolve possible duplicates)

         1) use your DHCP server logs to correlate an IP address to a MAC 
address.
         2) use arpwatch to keep track of IP address and MAC pairings and 
use it's logs.

Once you've got that you can start working back where the unit is. You can 
track what IP it has now, by searching the logs for the MAC, or if you have 
a managed switch you may be able to check the MAC tables of that.







More information about the Snort-users mailing list