IDS mailing list archives

RE: SNORT: MAC Address Alert

From: "Jorge Coll" <jcoll () commonx com>
Date: Mon, 22 Sep 2003 10:45:35 -0400

The method discussed here involves sniffing out the already known MAC
address.  What if the attacker changes his/her MAC?  How then will you
know if you are sending SPAM?  

You should sniff the wire for SMTP "talk".  If you telnet to any server
(guy please correct me) I believe that the response would first be a
"220."  You could setup your sniffer to match those 3 bytes from the
payload and then send the MAC and IP to your mobile.  

Does the AP support MAC Locking?  You might also look into that.

- jc

-----Original Message-----
From: James Williams [mailto:jwilliams () mail wtamu edu] 
Sent: Wednesday, September 17, 2003 11:31 AM
To: SF-IDS
Subject: SNORT: MAC Address Alert

We have been having an issue over the past couple of days where a couple
of computers are gaining access to our network and picking arbitrary IP
addresses to send SPAM emails. We have the MAC addresses of the
suspected computers and know which locations they are coming from, but
they do not spend much time in any one location. What I would like to do
is setup a box with snort and configure a very specific rule set to have
snort text message my mobile phone when it sees these two MAC addresses
on our network and possibly from which switch/wap/vlan/etc. Is this
possible? If so can somebody give me a couple configuration examples?

Thank you,

James Williams


------------------------------------------------------------------------
---
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance
Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Current thread:

SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
  - Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
  - Re: SNORT: MAC Address Alert noconflic (Sep 22)
    - Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)