Snort mailing list archives
idea for detection of rouge nodes?
From: "Fred McFeeters" <nfolink () hotmail com>
Date: Sun, 1 Feb 2004 03:09:31 -0600
Hello all.
This may be a dumb idea; however I wanted your thoughts.
I have a very small network 6 node, with a wireless AP. All my wireless
clients are windows XP machines, so I was thinking that if I setup some type
of rule that looks for (">>> NBT UDP PACKET(137): REGISTRATION; REQUEST;
BROADCAST") and within that packet the ("Name=Name Of Computer NameType=0x00
(Workstation)") then if sees a packet that doesn't have the name of one of
my computers it sets off an alert?
Now I know this could be very simply bypassed but how many people when WIFI
hunting think to change there computer name also? Most would only change the
IP and MAC to match that of the computer they want to clone.
Thanks for your thoughts
Fred McFeeters
Current thread:
- idea for detection of rouge nodes? Fred McFeeters (Feb 01)
- Re: idea for detection of rouge nodes? James Edwards (Feb 01)
- RE: idea for detection of rouge nodes? Fred McFeeters (Feb 02)
- How are alerts being logged? Peggy Kam (Feb 02)
- Re: How are alerts being logged? Erek Adams (Feb 02)
- Re: idea for detection of rouge nodes? James Edwards (Feb 01)