|
IDS
mailing list archives
Re: Scan for "outsider" Pcs on network
From: "Eagle Fire" <tlecuauhtli () googlemail com>
Date: Mon, 13 Mar 2006 10:06:12 +0000
Could be 802.1X an alternative? Probably hard to deploy, switches and
wireless AP with the feature and some OS challenges but it may be a
solution.
-tlecu
On 09/03/06, Ron Gula <rgula () tenablesecurity com> wrote:
At 05:15 AM 3/6/2006, Mircea MITU wrote:
On Thu, 2006-03-02 at 23:47 +0000, dhamm () jackofallgames com wrote:
Is there a way to setup a scan and be notified of an intruding pc that
is physically plugged into the network?
Sure, use arpwatch.
Actually, this will find "new" hosts all the time with little
discrimination between a new valid laptop on the LAN and a
visiting consultant in the conference room.
A lot of SIMs have the ability to process log files (such as
those of arpwatch or the dhcp logs of a Windows server) and
identity the MAC address. If you can recognize a "new" MAC
address and also associate it with something interesting like
"the conference room" or "the server farm" you can specify
different levels of alerting or logging. An example of this
is here in one of Tenable's TASL event correlation rules:
http://cgi.tenablesecurity.com/tasl/new_mac.tasl
The particular script is simple in that it just alerts on
a new MAC addr. Different scripts could consume output of
this script and have 2nd order alerts depending on the
location of the IP address issued, the type of MAC, .etc.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
