IDS mailing list archives
Re: SNORT: MAC Address Alert
From: noconflic <nocon () texas-shooters com>
Date: Thu, 18 Sep 2003 17:08:12 -0500
[jwilliams () mail wtamu edu] Wed, Sep 17, 2003 at 10:30:54AM -0500 wrote:
We have been having an issue over the past couple of days where a couple of computers are gaining access to our network and picking arbitrary IP addresses to send SPAM emails. We have the MAC addresses of the suspected computers and know which locations they are coming from, but they do not spend much time in any one location. What I would like to do is setup a box with snort and configure a very specific rule set to have snort text message my mobile phone when it sees these two MAC addresses on our network and possibly from which switch/wap/vlan/etc. Is this possible? If so can somebody give me a couple configuration examples?
Hrmf, One quick way to do this but it would depend if you have your own mail server and they are using that mailserver to send SPAM through and thats all they appear to be doing. If said mailserver is *NIX (If MS mailserver you could do the same using the scheduler i would think) system, you could just create a script, run it from cron every couple mins/sec on the mailserver that simply does a "arp -a" and then mail's you the info. example: (adjust to suit your needs, as is will probubly blow up your pager/phone when hosts are dectected untill you disable it or clear the arp cache:) ) --------->snip<------------------- #!/bin/sh # H1=`arp -a | grep '09:00:00:fm:0f:00'` H2=`arp -a | grep '09:00:00:fm:0f:00'` if [ -n "${H1}"]; then echo ${H1} | mailx -s 'Host Active!" you () whereever com fi if [ -n "${H2}"]; then echo ${H1} | mailx -s 'Host Active!" you () whereever com fi exit 0 --------->snip<------------------- With a script simaler to this one, you could expand on it, add a ping, traceroute command, "smbclient -L <host>", or using 'expect' to login to whatever swicth and automaticly grab the info from it as well, etc.. (All this, if in fact they are using your mailserver to send spam). depening on your scripting skills, this may be faster than setting up a whole new box installing/configing snort, though not a bad idea reguardless of your current situation. :) Have a look also at 'arpwatch'. I run it, and it works great. http://www-nrg.ee.lbl.gov/ On that note, just a week or so ago i found the following articial to be most usefull. "Tracking Down the Phantom Host" http://www.securityfocus.com/infocus/1705 Hope this helps. PS: yeah my spelling sucks >;P - nocon --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)