IDS mailing list archives

Re: Tracking back internal incidents to users, not IPs

From: Roland Dobbins <rdobbins () cisco com>
Date: Fri, 24 Feb 2006 22:49:30 -0800

The problem with shutting down the port is that the user is likely tomove to another port, and then you have to wait for his machine tostart doing Bad Things again, and then shut him down yet again (sameconcept with source-based remotely-triggered blackhole, or SRTBH),and then when someone else plugs into the shutdown port(s), there's atrouble-ticket generated.

It's certainly better than doing nothing at all, mind - but it's awhack-a-mole type of deal.



On Feb 24, 2006, at 5:44 AM, Cojocea, Mike (IST) wrote:

then queries your DHCP server(s) for active leases with MAC adresses,

compares the MAC address to the switch's MAC table, then queries your
database/spreadsheet for jack number to switch port assignments and
updates the user object via an LDAP modify command.


Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps
the switch ARP/IP tables into a database which you can query using
CGI+Apache. I used it in a 10K host network and it helped me a lot.

Using Netdisco you can track down a MAC to a port and shut down theport

in a couple of seconds.

Thanks,
Mike

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.

Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------


----------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

     Everything has been said.  But nobody listens.

                   -- Roger Shattuck


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

------------------------------------------------------------------------

Current thread:

Tracking back internal incidents to users, not IPs Charles Kaplan (Feb 21)
- Re: Tracking back internal incidents to users, not IPs Adam Powers (Feb 22)
- Re: Tracking back internal incidents to users, not IPs Kevin (Feb 22)
- Re: Tracking back internal incidents to users, not IPs John H. Sawyer (Feb 23)
- Re: Tracking back internal incidents to users, not IPs List Spam (Feb 23)
  - Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 24)
- <Possible follow-ups>
- Re: Tracking back internal incidents to users, not IPs Michael Allgeier (Feb 22)
- RE: Tracking back internal incidents to users, not IPs Cojocea, Mike (IST) (Feb 24)
  - Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 26)
  - Re: Tracking back internal incidents to users, not IPs Jason Haar (Feb 26)