[Snort-sigs] rules for physical intruders

Hugo van der Kooij hvdkooij at ...481...
Sun Dec 14 00:18:01 EST 2003


On Thu, 11 Dec 2003 adam_peterson at ...2065... wrote:

> i've come up with some rules to detect dhcp requests from machines that 
> are not named using our naming standard and are therefore probably not 
> machines we want on our network.  i've also come up with a rule to pick up 
> ms active directory requests (ldap) for domains that are not ours as this 
> is one of the first things a win2k+ machine does when it gets an ip.

You need arpwatch!

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.





More information about the Snort-sigs mailing list