Re: SNORT: MAC Address Alert
From: noconflic (nocon_at_texas-shooters.com)
Date: 09/19/03
- Previous message: Mark Coleman: "Re: SNORT: MAC Address Alert"
- In reply to: James Williams: "SNORT: MAC Address Alert"
- Next in thread: Florin Andrei: "Re: SNORT: MAC Address Alert"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Sep 2003 17:08:12 -0500 To: James Williams <jwilliams@mail.wtamu.edu>
[jwilliams@mail.wtamu.edu] Wed, Sep 17, 2003 at 10:30:54AM -0500 wrote:
> We have been having an issue over the past couple of days where a couple
> of computers are gaining access to our network and picking arbitrary IP
> addresses to send SPAM emails. We have the MAC addresses of the
> suspected computers and know which locations they are coming from, but
> they do not spend much time in any one location. What I would like to do
> is setup a box with snort and configure a very specific rule set to have
> snort text message my mobile phone when it sees these two MAC addresses
> on our network and possibly from which switch/wap/vlan/etc. Is this
> possible? If so can somebody give me a couple configuration examples?
>
Hrmf, One quick way to do this but it would depend if you have your
own mail server and they are using that mailserver to send SPAM through
and thats all they appear to be doing. If said mailserver is *NIX
(If MS mailserver you could do the same using the scheduler i would think)
system, you could just create a script, run it from cron every couple
mins/sec on the mailserver that simply does a "arp -a" and then mail's you
the info.
example: (adjust to suit your needs, as is
will probubly blow up your pager/phone
when hosts are dectected untill you disable
it or clear the arp cache:) )
--------->snip<-------------------
#!/bin/sh
#
H1=`arp -a | grep '09:00:00:fm:0f:00'`
H2=`arp -a | grep '09:00:00:fm:0f:00'`
if [ -n "${H1}"]; then
echo ${H1} | mailx -s 'Host Active!" you@whereever.com
fi
if [ -n "${H2}"]; then
echo ${H1} | mailx -s 'Host Active!" you@whereever.com
fi
exit 0
--------->snip<-------------------
With a script simaler to this one, you could expand on it, add a ping, traceroute
command, "smbclient -L <host>", or using 'expect' to login to whatever swicth and
automaticly grab the info from it as well, etc.. (All this, if in fact they are
using your mailserver to send spam). depening on your scripting skills, this may
be faster than setting up a whole new box installing/configing snort, though
not a bad idea reguardless of your current situation. :)
Have a look also at 'arpwatch'. I run it, and it works great.
http://www-nrg.ee.lbl.gov/
On that note, just a week or so ago i found the following
articial to be most usefull.
"Tracking Down the Phantom Host"
http://www.securityfocus.com/infocus/1705
Hope this helps.
PS:
yeah my spelling sucks >;P
- nocon
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
- Previous message: Mark Coleman: "Re: SNORT: MAC Address Alert"
- In reply to: James Williams: "SNORT: MAC Address Alert"
- Next in thread: Florin Andrei: "Re: SNORT: MAC Address Alert"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
