Re: Scan for "outsider" Pcs on network

["Eagle Fire" <tlecuauhtli () googlemail com>]

 Could be 802.1X an alternative? Probably hard to deploy, switches and
wireless AP with the feature and some OS challenges but it may be a
solution.

 -tlecu

On 09/03/06, Ron Gula <rgula () tenablesecurity com> wrote:
> At 05:15 AM 3/6/2006, Mircea MITU wrote:
> > On Thu, 2006-03-02 at 23:47 +0000, dhamm () jackofallgames com wrote:
> > > Is there a way to setup a scan and be notified of an intruding pc that
> > > is physically plugged into the network?
> >
> > Sure, use arpwatch.
>
> Actually, this will find "new" hosts all the time with little
> discrimination between a new valid laptop on the LAN and a
> visiting consultant in the conference room.
>
> A lot of SIMs have the ability to process log files (such as
> those of arpwatch or the dhcp logs of a Windows server) and
> identity the MAC address. If you can recognize a "new" MAC
> address and also associate it with something interesting like
> "the conference room" or "the server farm" you can specify
> different levels of alerting or logging. An example of this
> is here in one of Tenable's TASL event correlation rules:
>
> http://cgi.tenablesecurity.com/tasl/new_mac.tasl
>
> The particular script is simple in that it just alerts on
> a new MAC addr. Different scripts could consume output of
> this script and have 2nd order alerts depending on the
> location of the IP address issued, the type of MAC, .etc.
>
> Ron Gula, CTO
> Tenable Network Security
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------