Snort mailing list archives
RE: Alert on new IP in use?
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 1 Aug 2005 07:44:52 -0500
I realize your question was posted to the snort list, but there is a neat tool called Never Before Seen (NBS) by Marcus Ranum that does this. I worked with it for a while, but got pulled off on other projects so I haven't touched it in a while. Should work well for your application, though. You can find NBS at Marcus' website: http://www.ranum.com/security/computer_security/index.html Jon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Adamson Sent: Monday, August 01, 2005 8:15 AM To: Snort Users Postings Subject: [Snort-users] Alert on new IP in use? Looking for a way to monitor a small banking network and generate an alert when an unused IP address is observed. The current IP's are not consecutive. Example: we have 26 static IP addresses assigned to workstations and servers. If a 27th (or greater) address appears on the wire, generate an alert. (Note: not very interested in watching MAC addresses as some of the IP's are behind another layer-3 device.) Thoughts? ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? James Riden (Aug 03)
- Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jason Benway (Aug 03)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
- Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)