IDS mailing list archives
Re: Tracking back internal incidents to users, not IPs
From: Roland Dobbins <rdobbins () cisco com>
Date: Fri, 24 Feb 2006 22:49:30 -0800
The problem with shutting down the port is that the user is likely to move to another port, and then you have to wait for his machine to start doing Bad Things again, and then shut him down yet again (same concept with source-based remotely-triggered blackhole, or SRTBH), and then when someone else plugs into the shutdown port(s), there's a trouble-ticket generated.
It's certainly better than doing nothing at all, mind - but it's a whack-a-mole type of deal.
On Feb 24, 2006, at 5:44 AM, Cojocea, Mike (IST) wrote:
then queries your DHCP server(s) for active leases with MAC adresses,compares the MAC address to the switch's MAC table, then queries your database/spreadsheet for jack number to switch port assignments and updates the user object via an LDAP modify command. Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps the switch ARP/IP tables into a database which you can query using CGI+Apache. I used it in a 10K host network and it helped me a lot.Using Netdisco you can track down a MAC to a port and shut down the portin a couple of seconds. Thanks, Mike---------------------------------------------------------------------- --Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708to learn more.---------------------------------------------------------------------- --
---------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice Everything has been said. But nobody listens. -- Roger Shattuck ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Tracking back internal incidents to users, not IPs Charles Kaplan (Feb 21)
- Re: Tracking back internal incidents to users, not IPs Adam Powers (Feb 22)
- Re: Tracking back internal incidents to users, not IPs Kevin (Feb 22)
- Re: Tracking back internal incidents to users, not IPs John H. Sawyer (Feb 23)
- Re: Tracking back internal incidents to users, not IPs List Spam (Feb 23)
- Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 24)
- <Possible follow-ups>
- Re: Tracking back internal incidents to users, not IPs Michael Allgeier (Feb 22)
- RE: Tracking back internal incidents to users, not IPs Cojocea, Mike (IST) (Feb 24)
- Re: Tracking back internal incidents to users, not IPs Roland Dobbins (Feb 26)
- Re: Tracking back internal incidents to users, not IPs Jason Haar (Feb 26)