Re: SNORT: MAC Address Alert

[noconflic <nocon () texas-shooters com>]

[jwilliams () mail wtamu edu] Wed, Sep 17, 2003 at 10:30:54AM -0500 wrote:
> We have been having an issue over the past couple of days where a couple
> of computers are gaining access to our network and picking arbitrary IP
> addresses to send SPAM emails. We have the MAC addresses of the
> suspected computers and know which locations they are coming from, but
> they do not spend much time in any one location. What I would like to do
> is setup a box with snort and configure a very specific rule set to have
> snort text message my mobile phone when it sees these two MAC addresses
> on our network and possibly from which switch/wap/vlan/etc. Is this
> possible? If so can somebody give me a couple configuration examples?

   Hrmf, One quick way to do this but it would depend if you have your 
own mail server and they are using that mailserver to send SPAM through
and thats all they appear to be doing. If said mailserver is *NIX
(If MS mailserver you could do the same using the scheduler i would think)
system, you could just create a script, run it from cron every couple 
mins/sec on the mailserver that simply does a "arp -a" and then mail's you 
the info. 

example: (adjust to suit your needs, as is 
          will probubly blow up your pager/phone 
          when hosts are dectected untill you disable 
          it or clear the arp cache:) )

--------->snip<-------------------
#!/bin/sh
#

H1=`arp -a | grep '09:00:00:fm:0f:00'`
H2=`arp -a | grep '09:00:00:fm:0f:00'`    

  if [ -n "${H1}"]; then 
     echo ${H1} | mailx -s 'Host Active!" you () whereever com
  fi 

  if [ -n "${H2}"]; then 
     echo ${H1} | mailx -s 'Host Active!" you () whereever com
  fi 

exit 0
--------->snip<-------------------

   With a script simaler to this one, you could expand on it, add a ping, traceroute
command, "smbclient -L <host>",  or using 'expect' to login to whatever swicth and 
automaticly grab the info from it as well, etc.. (All this, if in fact they are 
using your mailserver to send spam). depening on your scripting skills, this may 
be faster than setting up a whole new box installing/configing snort, though
not a bad idea reguardless of your current situation. :) 

   Have a look also at 'arpwatch'. I run it, and it works great. 
   http://www-nrg.ee.lbl.gov/

  On that note, just a week or so ago i found the following
articial to be most usefull.  

"Tracking Down the Phantom Host"
   http://www.securityfocus.com/infocus/1705

  Hope this helps. 

PS: 
     yeah my spelling sucks >;P

- nocon

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------