Re: Scan for "outsider" Pcs on network

[Ron Gula <rgula () tenablesecurity com>]

At 05:15 AM 3/6/2006, Mircea MITU wrote:
> On Thu, 2006-03-02 at 23:47 +0000, dhamm () jackofallgames com wrote:
> > Is there a way to setup a scan and be notified of an intruding pc that
> > is physically plugged into the network?
>
> Sure, use arpwatch.

Actually, this will find "new" hosts all the time with little
discrimination between a new valid laptop on the LAN and a
visiting consultant in the conference room.

A lot of SIMs have the ability to process log files (such as
those of arpwatch or the dhcp logs of a Windows server) and
identity the MAC address. If you can recognize a "new" MAC
address and also associate it with something interesting like
"the conference room" or "the server farm" you can specify
different levels of alerting or logging. An example of this
is here in one of Tenable's TASL event correlation rules:

http://cgi.tenablesecurity.com/tasl/new_mac.tasl

The particular script is simple in that it just alerts on
a new MAC addr. Different scripts could consume output of
this script and have 2nd order alerts depending on the
location of the IP address issued, the type of MAC, .etc.

Ron Gula, CTO
Tenable Network Security




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------