Tracking by hostname.

[Narcosisx]

I did a little bit of searching but did not find what I was looking for. Basically what I am trying to do is I wan't to see alerts in snorby, squert, etc.. via hostname or computername instead of IP address. We are considering moving everything to dhcp from static and we have roughly 550 device's on our network. We have also created a network map in vizio and all of our computers are named via there desk number/location. You could see as this kind of configuration would be very valuable to us as alerts came in we would know exactly where they are coming from.

Any help or ideas is greatly appreciated. Thanks!

[Doug Burks]

Hi Narcosisx,

In Snorby, you can click an IP address and then click "Edit Asset Name".

Another option would be to send all of your DHCP and authentication
logs to ELSA so that you can just query ELSA for the IP address and
get the hostname AND username(s) as well.

Doug

On Sat, Aug 24, 2013 at 7:17 AM, Narcosisx <xge...@gmail.com> wrote:
> I did a little bit of searching but did not find what I was looking for. Basically what I am trying to do is I wan't to see alerts in snorby, squert, etc.. via hostname or computername instead of IP address. We are considering moving everything to dhcp from static and we have roughly 550 device's on our network. We have also created a network map in vizio and all of our computers are named via there desk number/location. You could see as this kind of configuration would be very valuable to us as alerts came in we would know exactly where they are coming from.
>
> Any help or ideas is greatly appreciated. Thanks!
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.blogspot.com

[Jon Schipp]

I wrote an article on Snorby's Asset Manager a little while ago:
https://sickbits.net/snorbys-asset-manager-convert-and-upload-etchosts/

Jon Schipp, 

jonschipp.com, sickbits.net

[Matt Gregory]

Wouldn't (or couldn't) using Snorby's asset management feature for DHCP clients eventually lead to mis-named assets in Snorby?  I'm assuming that at some point a DHCP client's IP address will, or could, change, even if not very frequently.

Matt

[Jeremy Hoel]

Yes.  This could very easily happen.  We use it for sparingly for static ip based hosts.

[Timsk]

Tracking by hostname is a request I often receive from my team when getting them up to speed on SO (which is such a fantastic toolset by the way - well done to all concerned).

In our environment we have around 8.5k possible source ip's for any alert (all desktop and mobile clients), caused by having transient ip's allocated to clients via dhcp. Static addresses are in place for the equipment we want to monitor, but it's protecting those assets from our clients - and gaining the invaluable insight of the alerts + full packet capture - that is key for us.

Unfortunately this means that when analysing an alert it is quite possible that the source host we chase down may have been allocated a new ip in the intervening time, meaning we have on occasion chased down an incorrect source host before going deeper into the pcaps. Unfortunately we are not in a position to influence the dhcp setup use for our end-user clients.

So we have to be careful performing a dns lookup in the squil client at the time of analysis (as the ip may have been reallocated), and the use of a 'point in time' config like the snorby asset management solution mentioned above would be problematic at best in the time required to manage/regenerate. We often have to dig into the pcaps (taking greater knowledge and more time) to be certain of the originating host. Our client hostnames are set and unconfigurable by end users.

As mentioned above, we could of course pivot to elsa for parsed dhcp logs for the relevant timeframe, but that all adds to the complexity and time to respond to any particular alert, assuming we can get access to those logs from the relevant team.

I therefore think a solution for us with this could be for the sensor generating an alert to perform a local dns query *at the time the alert fires* and return the resulting hostname in the data forwarded to squil/snorby along with the ip generating the alert at that time... For us this would cut response times and the identification of false positives (along with sensor tuning times) significantly.

Anyone else have a similar thought, could it be sensibly built into the sensor setup (beyond my skillset to do unfortunately); or and am I barking up completely the wrong tree with this? Any comments gratefully received.

And again, thanks for putting such a brilliant set of tools together so coherently.

Thanks. T

[Doug Burks]

On Mon, Aug 26, 2013 at 6:57 AM, Timsk <tims...@googlemail.com> wrote:
> As mentioned above, we could of course pivot to elsa for parsed dhcp logs for the relevant timeframe, but that all adds to the complexity and time to respond to any particular alert, assuming we can get access to those logs from the relevant team.

Pivoting to ELSA is part of my normal workflow and I don't consider it
to be added complexity and time:
- In Sguil, right-click the IP address in question and use the "Copy
IP Address" option.
- Alt-tab to ELSA, ctrl-v, Enter.

In the future, we hope to collapse that down to one step.