IDS mailing list archives
Re: SNORT: MAC Address Alert
From: "Maxime Ducharme" <maxime () pandore-design com>
Date: Mon, 22 Sep 2003 10:23:04 -0400
Dont forget a MAC address can also be changed in order to get things worst ... I suggest to implement a kind of "spam detector" with a script that would get more info about the offending host (like nbt name, nmap OS fingerprinting, ...) Ciao --------------------------------------------------------------- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : maxime () pandore-design com Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 ----- Original Message ----- From: "noconflic" <nocon () texas-shooters com> To: "Brad McGary" <bmcgary () secondfront net> Cc: "James Williams" <jwilliams () mail wtamu edu>; "SF-IDS" <focus-ids () securityfocus com> Sent: Friday, September 19, 2003 4:31 PM Subject: Re: SNORT: MAC Address Alert
[bmcgary () secondfront net] Fri, Sep 19, 2003 at 08:54:34AM -0500 wrote:Why don't you setup DHCP reservations for the two MAC addresses and
assign
them specific IPs? Once the users acquire the known IPs you can track
their
activity using Snort and or block traffic at the firewall. I'm assuming you're using DHCP.This can eaily be defeated by manually configureing the
IP/Subnet/Gateway
on the offending machines. Assuming of course they are that smart wich by the looks of it, are not if they are sending spam out of a company network. heh ;-) - nocon --------------------------------------------------------------------------
-
Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------
-
--------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)