Re: SNORT: MAC Address Alert
From: Brad McGary (bmcgary_at_secondfront.net)
Date: 09/19/03
- Previous message: Florin Andrei: "Re: SNORT: MAC Address Alert"
- In reply to: James Williams: "SNORT: MAC Address Alert"
- Next in thread: noconflic: "Re: SNORT: MAC Address Alert"
- Reply: noconflic: "Re: SNORT: MAC Address Alert"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "James Williams" <jwilliams@mail.wtamu.edu>, "SF-IDS" <focus-ids@securityfocus.com> Date: Fri, 19 Sep 2003 08:54:34 -0500
Why don't you setup DHCP reservations for the two MAC addresses and assign
them specific IPs? Once the users acquire the known IPs you can track their
activity using Snort and or block traffic at the firewall. I'm assuming
you're using DHCP.
----- Original Message -----
From: "James Williams" <jwilliams@mail.wtamu.edu>
To: "SF-IDS" <focus-ids@securityfocus.com>
Sent: Wednesday, September 17, 2003 10:30 AM
Subject: SNORT: MAC Address Alert
> We have been having an issue over the past couple of days where a couple
> of computers are gaining access to our network and picking arbitrary IP
> addresses to send SPAM emails. We have the MAC addresses of the
> suspected computers and know which locations they are coming from, but
> they do not spend much time in any one location. What I would like to do
> is setup a box with snort and configure a very specific rule set to have
> snort text message my mobile phone when it sees these two MAC addresses
> on our network and possibly from which switch/wap/vlan/etc. Is this
> possible? If so can somebody give me a couple configuration examples?
>
> Thank you,
>
> James Williams
>
>
> --------------------------------------------------------------------------
-
> Captus Networks IPS 4000
> Intrusion Prevention and Traffic Shaping Technology to:
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Precisely Define and Implement Network Security & Performance Policies
> FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
> --------------------------------------------------------------------------
-
>
>
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
- Previous message: Florin Andrei: "Re: SNORT: MAC Address Alert"
- In reply to: James Williams: "SNORT: MAC Address Alert"
- Next in thread: noconflic: "Re: SNORT: MAC Address Alert"
- Reply: noconflic: "Re: SNORT: MAC Address Alert"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
