Re: SNORT: MAC Address Alert

From: noconflic (
Date: 09/19/03

  • Next message: Florin Andrei: "Re: SNORT: MAC Address Alert"
    Date: Thu, 18 Sep 2003 17:08:12 -0500
    To: James Williams <>

    [] Wed, Sep 17, 2003 at 10:30:54AM -0500 wrote:
    > We have been having an issue over the past couple of days where a couple
    > of computers are gaining access to our network and picking arbitrary IP
    > addresses to send SPAM emails. We have the MAC addresses of the
    > suspected computers and know which locations they are coming from, but
    > they do not spend much time in any one location. What I would like to do
    > is setup a box with snort and configure a very specific rule set to have
    > snort text message my mobile phone when it sees these two MAC addresses
    > on our network and possibly from which switch/wap/vlan/etc. Is this
    > possible? If so can somebody give me a couple configuration examples?

       Hrmf, One quick way to do this but it would depend if you have your
    own mail server and they are using that mailserver to send SPAM through
    and thats all they appear to be doing. If said mailserver is *NIX
    (If MS mailserver you could do the same using the scheduler i would think)
    system, you could just create a script, run it from cron every couple
    mins/sec on the mailserver that simply does a "arp -a" and then mail's you
    the info.

    example: (adjust to suit your needs, as is
              will probubly blow up your pager/phone
              when hosts are dectected untill you disable
              it or clear the arp cache:) )


    H1=`arp -a | grep '09:00:00:fm:0f:00'`
    H2=`arp -a | grep '09:00:00:fm:0f:00'`

      if [ -n "${H1}"]; then
         echo ${H1} | mailx -s 'Host Active!"

      if [ -n "${H2}"]; then
         echo ${H1} | mailx -s 'Host Active!"

    exit 0

       With a script simaler to this one, you could expand on it, add a ping, traceroute
    command, "smbclient -L <host>", or using 'expect' to login to whatever swicth and
    automaticly grab the info from it as well, etc.. (All this, if in fact they are
    using your mailserver to send spam). depening on your scripting skills, this may
    be faster than setting up a whole new box installing/configing snort, though
    not a bad idea reguardless of your current situation. :)

       Have a look also at 'arpwatch'. I run it, and it works great.

      On that note, just a week or so ago i found the following
    articial to be most usefull.

    "Tracking Down the Phantom Host"

      Hope this helps.

         yeah my spelling sucks >;P

    - nocon

    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo

  • Next message: Florin Andrei: "Re: SNORT: MAC Address Alert"

    Relevant Pages

    • Re: Report this spam to:
      ... If the spammers derived $0 in spam related ... A slight understanding that usenet is pretty much ... Google groups is simply a node on the usenet network, ... 1581 ROM from early Commodore disk drives. ...
    • Re: Checking Outbound Exchange Email
      ... The reason being is I have a client computer generating what possibly could be spam mail and I want to identify which computer is generating so many email messages. ... Next, what is the network topology, are you using one NIC or two in the SBS? ... My other usual recommendation is to enable logging on your Internet router, if it can do that, and to look for the feature in future purchases if it can't. ...
    • RE: Backup Mail Server Questions
      ... > Setting up a truly redundant POP/IMAP reader box is extremely hard. ... > network link is easier and less likely to suffer from the "lets create a ... users and we use a single mailserver as the pop/imap server. ...
    • Re: Need advice on new mailserver and spam
      ... > that has about 30 employees and an external mailserver. ... > accepting all non-mailbox email into a account ... > shutting down all incoming email. ... > are taken as replies by spambots and encourages even more spam. ...
    • RE: Your opinions on spyware, adware, spam, etc. and dealing with them
      ... Your opinions on spyware, adware, spam, etc. and dealing with them ... Would you want someone to hack / crack into your network and steal all or ...