IDS mailing list archives
RE: SNORT: MAC Address Alert
From: "Jorge Coll" <jcoll () commonx com>
Date: Mon, 22 Sep 2003 10:45:35 -0400
The method discussed here involves sniffing out the already known MAC address. What if the attacker changes his/her MAC? How then will you know if you are sending SPAM? You should sniff the wire for SMTP "talk". If you telnet to any server (guy please correct me) I believe that the response would first be a "220." You could setup your sniffer to match those 3 bytes from the payload and then send the MAC and IP to your mobile. Does the AP support MAC Locking? You might also look into that. - jc -----Original Message----- From: James Williams [mailto:jwilliams () mail wtamu edu] Sent: Wednesday, September 17, 2003 11:31 AM To: SF-IDS Subject: SNORT: MAC Address Alert We have been having an issue over the past couple of days where a couple of computers are gaining access to our network and picking arbitrary IP addresses to send SPAM emails. We have the MAC addresses of the suspected computers and know which locations they are coming from, but they do not spend much time in any one location. What I would like to do is setup a box with snort and configure a very specific rule set to have snort text message my mobile phone when it sees these two MAC addresses on our network and possibly from which switch/wap/vlan/etc. Is this possible? If so can somebody give me a couple configuration examples? Thank you, James Williams ------------------------------------------------------------------------ --- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)