IDS mailing list archives

Re: SNORT: MAC Address Alert

From: "Brad McGary" <bmcgary () secondfront net>
Date: Fri, 19 Sep 2003 08:54:34 -0500

Why don't you setup DHCP reservations for the two MAC addresses and assign
them specific IPs? Once the users acquire the known IPs you can track their
activity using Snort and or block traffic at the firewall. I'm assuming
you're using DHCP.

----- Original Message ----- 
From: "James Williams" <jwilliams () mail wtamu edu>
To: "SF-IDS" <focus-ids () securityfocus com>
Sent: Wednesday, September 17, 2003 10:30 AM
Subject: SNORT: MAC Address Alert

We have been having an issue over the past couple of days where a couple
of computers are gaining access to our network and picking arbitrary IP
addresses to send SPAM emails. We have the MAC addresses of the
suspected computers and know which locations they are coming from, but
they do not spend much time in any one location. What I would like to do
is setup a box with snort and configure a very specific rule set to have
snort text message my mobile phone when it sees these two MAC addresses
on our network and possibly from which switch/wap/vlan/etc. Is this
possible? If so can somebody give me a couple configuration examples?

Thank you,

James Williams


--------------------------------------------------------------------------

Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
--------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Current thread:

SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
  - Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
  - Re: SNORT: MAC Address Alert noconflic (Sep 22)
    - Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)