[Snort-sigs] rules for physical intruders

Steve Wray steve.wray at ...1294...
Sat Dec 13 17:41:01 EST 2003

If you use a limited variety of NICs you might look
for MAC addresses. I believe that there are resources
available to identify ranges of MAC addresses with
chipset manufacturers. 

Sniff for people plugging laptops into the network; 
have a snort rule looking for MAC addresses of PCMCIA NICs.

Or something like that.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
adam_peterson at ...2065...
Sent: Friday, 12 December 2003 11:04
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] rules for physical intruders

i've come up with some rules to detect dhcp requests from machines that
are not named using our naming standard and are therefore probably not
machines we want on our network.  i've also come up with a rule to pick
up ms active directory requests (ldap) for domains that are not ours as
this is one of the first things a win2k+ machine does when it gets an

my question is, has anyone else created simliar rules in hopes of
catching consultants/visitors who decide it's okay to connect their
machine to the network, contrary to corporate policy?  i'm struggling to
come up with more than what i have, which is: 


More information about the Snort-sigs mailing list