IDS mailing list archives

Re: Scan for "outsider" Pcs on network

From: Jean-Philippe Luiggi <jp.luiggi () free fr>
Date: Mon, 20 Mar 2006 14:53:01 -0500

On Fri, Mar 17, 2006 at 02:41:10PM -0800, Kurt Buff wrote:

On 2 Mar 2006 23:47:59 -0000, dhamm () jackofallgames com
<dhamm () jackofallgames com> wrote:

Is there a way to setup a scan and be notified of an
intruding pc that is physically plugged into the network?


Just one suggestion:

Write a script that visits all of your switches/routers and gets their
tables of pairs of ports and MAC addresses, then dump them into a
database. Schedule it to do this periodically, say every 5-10 minutes.
Kind of a roll-your-own distributed arpwatch, but it's what I'm doing
by hand for our 6 48-port Cisco switches. Unfortunately, I don't have
the scripting knowledge (Expect? PERL? Something else? SNMP, telnet or
maybe some other query method?) to do this, though I know people have
done it.

And, of course, the obligatory plea to share if you have such a script.


 Hello,
 
 Just to mention : netdisco
 
 Netdisco is an Open Source web-based network management tool.
 
 Designed for moderate to large networks, configuration information and
 connection data for network devices are retrieved by SNMP. With Netdisco
 you can locate the switch port of an end-user system by IP or MAC address.
 Data is stored using a SQL database for scalability and speed.
 Cisco Discovery Protocol (CDP) optionally provides automatic discovery of
 the network topology. The network is inventoried by both device model and
 operating system (like IOS). Netdisco uses router ARP tables and L2 switch
 MAC forwarding tables to locate nodes on physical ports and track them by
 their IP addresses. For each node, a time stamped history of the ports it
 has visited and the IP addresses it has used is maintained. Netdisco gets
 all its data, including CDP topology information, with SNMP polls and DNS
 queries. It does not use CLI access and has no need for privilege
 passwords. Security features include a wire-side Wireless Access Point (AP)
 locator.
 
 
 Best regards.
 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Scan for "outsider" Pcs on network dhamm (Mar 03)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)
  - Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
    - Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 14)
- Re: Scan for "outsider" Pcs on network Alice Bryson (Mar 14)
- Re: Scan for "outsider" Pcs on network Kurt Buff (Mar 20)
  - Re: Scan for "outsider" Pcs on network Jean-Philippe Luiggi (Mar 21)
- <Possible follow-ups>
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 17)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 20)
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 21)
  - Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 27)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 30)