IDS mailing list archives
Re: Scan for "outsider" Pcs on network
From: Ron Gula <rgula () tenablesecurity com>
Date: Thu, 09 Mar 2006 15:40:01 -0500
At 05:15 AM 3/6/2006, Mircea MITU wrote:
On Thu, 2006-03-02 at 23:47 +0000, dhamm () jackofallgames com wrote: > Is there a way to setup a scan and be notified of an intruding pc that > is physically plugged into the network? Sure, use arpwatch.
Actually, this will find "new" hosts all the time with little discrimination between a new valid laptop on the LAN and a visiting consultant in the conference room. A lot of SIMs have the ability to process log files (such as those of arpwatch or the dhcp logs of a Windows server) and identity the MAC address. If you can recognize a "new" MAC address and also associate it with something interesting like "the conference room" or "the server farm" you can specify different levels of alerting or logging. An example of this is here in one of Tenable's TASL event correlation rules: http://cgi.tenablesecurity.com/tasl/new_mac.tasl The particular script is simple in that it just alerts on a new MAC addr. Different scripts could consume output of this script and have 2nd order alerts depending on the location of the IP address issued, the type of MAC, .etc. Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Scan for "outsider" Pcs on network dhamm (Mar 03)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 14)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Alice Bryson (Mar 14)
- Re: Scan for "outsider" Pcs on network Kurt Buff (Mar 20)
- Re: Scan for "outsider" Pcs on network Jean-Philippe Luiggi (Mar 21)
- <Possible follow-ups>
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 17)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 20)
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 21)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 27)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 30)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)