Re: SNORT: MAC Address Alert

From: noconflic (
Date: 09/19/03

  • Next message: Florin Andrei: "Re: SNORT: MAC Address Alert"
    Date: Thu, 18 Sep 2003 17:08:12 -0500
    To: James Williams <>

    [] Wed, Sep 17, 2003 at 10:30:54AM -0500 wrote:
    > We have been having an issue over the past couple of days where a couple
    > of computers are gaining access to our network and picking arbitrary IP
    > addresses to send SPAM emails. We have the MAC addresses of the
    > suspected computers and know which locations they are coming from, but
    > they do not spend much time in any one location. What I would like to do
    > is setup a box with snort and configure a very specific rule set to have
    > snort text message my mobile phone when it sees these two MAC addresses
    > on our network and possibly from which switch/wap/vlan/etc. Is this
    > possible? If so can somebody give me a couple configuration examples?

       Hrmf, One quick way to do this but it would depend if you have your
    own mail server and they are using that mailserver to send SPAM through
    and thats all they appear to be doing. If said mailserver is *NIX
    (If MS mailserver you could do the same using the scheduler i would think)
    system, you could just create a script, run it from cron every couple
    mins/sec on the mailserver that simply does a "arp -a" and then mail's you
    the info.

    example: (adjust to suit your needs, as is
              will probubly blow up your pager/phone
              when hosts are dectected untill you disable
              it or clear the arp cache:) )


    H1=`arp -a | grep '09:00:00:fm:0f:00'`
    H2=`arp -a | grep '09:00:00:fm:0f:00'`

      if [ -n "${H1}"]; then
         echo ${H1} | mailx -s 'Host Active!"

      if [ -n "${H2}"]; then
         echo ${H1} | mailx -s 'Host Active!"

    exit 0

       With a script simaler to this one, you could expand on it, add a ping, traceroute
    command, "smbclient -L <host>", or using 'expect' to login to whatever swicth and
    automaticly grab the info from it as well, etc.. (All this, if in fact they are
    using your mailserver to send spam). depening on your scripting skills, this may
    be faster than setting up a whole new box installing/configing snort, though
    not a bad idea reguardless of your current situation. :)

       Have a look also at 'arpwatch'. I run it, and it works great.

      On that note, just a week or so ago i found the following
    articial to be most usefull.

    "Tracking Down the Phantom Host"

      Hope this helps.

         yeah my spelling sucks >;P

    - nocon

    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo

  • Next message: Florin Andrei: "Re: SNORT: MAC Address Alert"