IDS mailing list archives
Re: Scan for "outsider" Pcs on network
From: Jean-Philippe Luiggi <jp.luiggi () free fr>
Date: Mon, 20 Mar 2006 14:53:01 -0500
On Fri, Mar 17, 2006 at 02:41:10PM -0800, Kurt Buff wrote:
On 2 Mar 2006 23:47:59 -0000, dhamm () jackofallgames com <dhamm () jackofallgames com> wrote:Is there a way to setup a scan and be notified of an intruding pc that is physically plugged into the network?Just one suggestion: Write a script that visits all of your switches/routers and gets their tables of pairs of ports and MAC addresses, then dump them into a database. Schedule it to do this periodically, say every 5-10 minutes. Kind of a roll-your-own distributed arpwatch, but it's what I'm doing by hand for our 6 48-port Cisco switches. Unfortunately, I don't have the scripting knowledge (Expect? PERL? Something else? SNMP, telnet or maybe some other query method?) to do this, though I know people have done it. And, of course, the obligatory plea to share if you have such a script.
Hello, Just to mention : netdisco Netdisco is an Open Source web-based network management tool. Designed for moderate to large networks, configuration information and connection data for network devices are retrieved by SNMP. With Netdisco you can locate the switch port of an end-user system by IP or MAC address. Data is stored using a SQL database for scalability and speed. Cisco Discovery Protocol (CDP) optionally provides automatic discovery of the network topology. The network is inventoried by both device model and operating system (like IOS). Netdisco uses router ARP tables and L2 switch MAC forwarding tables to locate nodes on physical ports and track them by their IP addresses. For each node, a time stamped history of the ports it has visited and the IP addresses it has used is maintained. Netdisco gets all its data, including CDP topology information, with SNMP polls and DNS queries. It does not use CLI access and has no need for privilege passwords. Security features include a wire-side Wireless Access Point (AP) locator. Best regards. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Scan for "outsider" Pcs on network dhamm (Mar 03)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 14)
- Re: Scan for "outsider" Pcs on network Ron Gula (Mar 11)
- Re: Scan for "outsider" Pcs on network Alice Bryson (Mar 14)
- Re: Scan for "outsider" Pcs on network Kurt Buff (Mar 20)
- Re: Scan for "outsider" Pcs on network Jean-Philippe Luiggi (Mar 21)
- <Possible follow-ups>
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 11)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 17)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 20)
- RE: Scan for "outsider" Pcs on network Craig Wright (Mar 21)
- Re: Scan for "outsider" Pcs on network Eagle Fire (Mar 27)
- Re: Scan for "outsider" Pcs on network auto62996 (Mar 30)
- Re: Scan for "outsider" Pcs on network Mircea MITU (Mar 09)