Re: Tracking back internal incidents to users, not IPs
- From: Roland Dobbins <rdobbins@xxxxxxxxx>
- Date: Fri, 24 Feb 2006 22:49:30 -0800
The problem with shutting down the port is that the user is likely to move to another port, and then you have to wait for his machine to start doing Bad Things again, and then shut him down yet again (same concept with source-based remotely-triggered blackhole, or SRTBH), and then when someone else plugs into the shutdown port(s), there's a trouble-ticket generated.
It's certainly better than doing nothing at all, mind - but it's a whack-a-mole type of deal.
On Feb 24, 2006, at 5:44 AM, Cojocea, Mike (IST) wrote:
then queries your DHCP server(s) for active leases with MAC adresses,compares the MAC address to the switch's MAC table, then queries your
database/spread*** for jack number to switch port assignments and
updates the user object via an LDAP modify command.
Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps
the switch ARP/IP tables into a database which you can query using
CGI+Apache. I used it in a 10K host network and it helped me a lot.
Using Netdisco you can track down a MAC to a port and shut down the port
in a couple of seconds.
Thanks,
Mike
---------------------------------------------------------------------- --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708
to learn more.
---------------------------------------------------------------------- --
----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // 408.527.6376 voice
Everything has been said. But nobody listens.
-- Roger Shattuck
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
- References:
- RE: Tracking back internal incidents to users, not IPs
- From: Cojocea, Mike (IST)
- RE: Tracking back internal incidents to users, not IPs
- Prev by Date: Terminology: Inline IDS, IPS and Application Layer Firewall
- Next by Date: Re: SNORT Testing
- Previous by thread: RE: Tracking back internal incidents to users, not IPs
- Next by thread: Re: Tracking back internal incidents to users, not IPs
- Index(es):
