Snort mailing list archives

RE: Alert on new IP in use?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Mon, 1 Aug 2005 07:44:52 -0500

I realize your question was posted to the snort list, but there is a
neat tool called Never Before Seen (NBS) by Marcus Ranum that does this.
I worked with it for a while, but got pulled off on other projects so I
haven't touched it in a while.  Should work well for your application,
though.

You can find NBS at Marcus' website:

http://www.ranum.com/security/computer_security/index.html

Jon 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich
Adamson
Sent: Monday, August 01, 2005 8:15 AM
To: Snort Users Postings
Subject: [Snort-users] Alert on new IP in use?


Looking for a way to monitor a small banking network and generate an
alert when an unused IP address is observed. The current IP's are not
consecutive.

Example: we have 26 static IP addresses assigned to workstations and
servers. If a 27th (or greater) address appears on the wire, generate an
alert. (Note: not very interested in watching MAC addresses as some of
the IP's are behind another layer-3 device.)

Thoughts?




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert on new IP in use? Rich Adamson (Aug 01)
- Re: Alert on new IP in use? Matt Kettler (Aug 01)
  - Re: Alert on new IP in use? Rich Adamson (Aug 01)
    - Re: Alert on new IP in use? Matt Kettler (Aug 01)
- Re: Alert on new IP in use? James Riden (Aug 01)
  - Re: Alert on new IP in use? Jason Benway (Aug 03)
    - Re: Alert on new IP in use? James Riden (Aug 03)
    - Re: Alert on new IP in use? Jason Benway (Aug 09)
- Re: Alert on new IP in use? Jeff Coppock (Aug 02)
- <Possible follow-ups>
- RE: Alert on new IP in use? Williams Jon (Aug 01)
  - Re: Alert on new IP in use? Daniel Cid (Aug 01)
- Re: Alert on new IP in use? Donofrio, Lewis (Aug 04)