Re: SNORT: MAC Address Alert

From: Florin Andrei (florin_at_sgi.com)
Date: 09/19/03

  • Next message: Brad McGary: "Re: SNORT: MAC Address Alert" 
    To: focus-ids@securityfocus.com
Date: 18 Sep 2003 16:33:11 -0700

    On Wed, 2003-09-17 at 08:30, James Williams wrote:
    > We have been having an issue over the past couple of days where a couple
    > of computers are gaining access to our network and picking arbitrary IP
    > addresses to send SPAM emails. We have the MAC addresses of the
    > suspected computers and know which locations they are coming from, but
    > they do not spend much time in any one location. What I would like to do
    > is setup a box with snort and configure a very specific rule set to have
    > snort text message my mobile phone when it sees these two MAC addresses
    > on our network and possibly from which switch/wap/vlan/etc. Is this
    > possible? If so can somebody give me a couple configuration examples?

    The problem is, once the packet goes through the first router, the MAC
    address is lost. So you would have to install an IDS sensor on each
    Ethernet segment, which may or may not be something achievable.

    Is this a wireless issue maybe? ;-) 

    -- 
Florin Andrei
http://florin.myip.org/
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
  • Next message: Brad McGary: "Re: SNORT: MAC Address Alert"

    Relevant Pages

    • Re: Networks
      ... In the light of my last comment above, I had a Mac in 1984, and in 1985 set ... up a network of five Macs by the simple means of plugging a cable into each ... >>> David Kelsey ... although many people seem to think computers should be as easy ...
      (microsoft.public.windowsxp.network_web)
    • Re: Unauthorised PCs
      ... IP lease to a mac address of a computers network adapter. ... If your switches can do mac filtering you may want to look at that. ... > Any ideas how I can prevent users picking up a dhcp lease when they plug ...
      (microsoft.public.security)
    • Re: More on learning "Public Key Authentication"
      ... intermediate computers handling network connections on the Internet. ... as applied specifically to the Mac and OSX. ... I want to de-activate my entire OS X password system ...
      (comp.sys.mac.system)
    • Re: Network Security
      ... >>I've been tasked to protect out network from unwanted clients ... > configure the DHCP server to only give out addresses to specific MAC ... > that says no visiting computers. ... >>not 'known' to us then we can stop it getting an IP from the DHCP server? ...
      (linux.redhat)
    • RE: SNORT: MAC Address Alert
      ... The method discussed here involves sniffing out the already known MAC ... of computers are gaining access to our network and picking arbitrary IP ... Intrusion Prevention and Traffic Shaping Technology to: ... Instantly Stop DoS/DDoS Attacks, Worms & Port Scans ...
      (Focus-IDS)
    Loading