IDS mailing list archives

RE: Tracking back internal incidents to users, not IPs

From: "Cojocea, Mike (IST)" <Mike.Cojocea () watsonwyatt com>
Date: Fri, 24 Feb 2006 08:44:01 -0500

then queries your DHCP server(s) for active leases with MAC adresses,

compares the MAC address to the switch's MAC table, then queries your
database/spreadsheet for jack number to switch port assignments and
updates the user object via an LDAP modify command.  


Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps
the switch ARP/IP tables into a database which you can query using
CGI+Apache. I used it in a 10K host network and it helped me a lot.
Using Netdisco you can track down a MAC to a port and shut down the port
in a couple of seconds. 

Thanks,
Mike

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Tracking back internal incidents to users, not IPs Charles Kaplan (Feb 21)
- Re: Tracking back internal incidents to users, not IPs Adam Powers (Feb 22)
- Re: Tracking back internal incidents to users, not IPs Kevin (Feb 22)
- Re: Tracking back internal incidents to users, not IPs John H. Sawyer (Feb 23)
- Re: Tracking back internal incidents to users, not IPs List Spam (Feb 23)
  - Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 24)
- <Possible follow-ups>
- Re: Tracking back internal incidents to users, not IPs Michael Allgeier (Feb 22)
- RE: Tracking back internal incidents to users, not IPs Cojocea, Mike (IST) (Feb 24)
  - Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 26)
  - Re: Tracking back internal incidents to users, not IPs Jason Haar (Feb 26)