Re: detect intruders with WMI
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 12/18/02
- Next message: Karl Levinson [x y] mvp: "Re: Correct locations of Group Policy objects"
- Previous message: Karl Levinson [x y] mvp: "Re: Limiting users to specific software"
- In reply to: A. Tolga KILINĒ: "detect intruders with WMI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 17 Dec 2002 22:41:11 -0500
"A. Tolga KILINĒ" <kilinc@tis.havelsan.com.tr> wrote in message
news:Ow30NRepCHA.2384@TK2MSFTNGP09...
> Hi,
> How can I use WMI scripting to detect internal intruder machines in
> LAN/domain? Can I utilize WMI scripts or other techniques to detect
spoofed
> MAC addresses...etc?
WMI probably isn't going to help you detect spoofing on a laptop running
Linux or a Windows computer that doesn't comply with your requests for
information such as a hacker's laptop that has never been on your network
before. Besides, if you can run WMI to enumerate the machine, then a hacker
probably can too, or he can probably sniff the response to your request.
Some NIDS such as www.iss.net [not my favorite] and others can detect
changes to MAC addresses, though in a large network you're going to get so
many false alarms that you'll have to start ignoring them. I'd be really
surprised if there were any medium to large sized networks that were doing
anything successfully against the sorts of attacks you describe.
- Next message: Karl Levinson [x y] mvp: "Re: Correct locations of Group Policy objects"
- Previous message: Karl Levinson [x y] mvp: "Re: Limiting users to specific software"
- In reply to: A. Tolga KILINĒ: "detect intruders with WMI"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
