RE: NetBios Names

[Brian Ertel <bsertel () amherst edu>]

Thank you Chris 

----------------------------------
Brian Ertel
Systems & Networking
Amherst College
Voice: 413-542-8320
Fax:    413-542-2626
bsertel () amherst edu
----------------------------------


-----Original Message-----
From: Chris Green [mailto:cmg () uab edu]
Sent: Monday, December 10, 2001 8:27 AM
To: Brian Ertel
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] NetBios Names


Brian Ertel <bsertel () amherst edu> writes:

> Hello All,
>
> Does anyone know how to config Snort to return
> NetBios names of offenders.  It is obviose how to
> get the IP, and MAC addresses, but I haven't seen
> anything on getting the NetBios name?

Getting the NETBIOS name would require snort to stop what it's doing,
and then try and ask the machine in question it's name, wait for it to
time, and then get back to what it was doing.  DNS or Name lookups
isn't something snort is going to do out of the box.

If you need this information ( perferably for only a few specific
rules ), you are best off writing something with swatch and nmblookup.

I would be very hesitant to turn this on for things not in my network
as well because the last thing you need is handling abuse reports from
people thinking your IDS sensor has a windows share worm.
-- 
Chris Green <cmg () uab edu>
Let not the sands of time get in your lunch.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users