[Snort-users] Rogue system detection
skip at ...1552...
Tue Apr 26 11:20:19 EDT 2005
> I have a question that's not necessarily a snort thing, but I have no idea
> what other list to ask, so here goes. What are people using out there for
> rogue system detection? I'm trying to figure out how to passively detect
> when a 'new' system comes online in the local network and possibly detect
> the os and such. I imagine the tool would have to be able to match MAC
> addresses to deal with changing addresses and DHCP, along with report/alert
> when something new comes online. Maybe RNA?
We use 'arpwatch' for this purpose. It will send an email notification
when it sees a new MAC address or sees an IP-MAC pair change.
We also modified arpwatch, for our internal use, to report to a database
so that the current MAC address table for a given network can be
through a web interface.
Having the info in a database also makes it practical to use a MAC
whitelist for the DHCP server. This gets you two things:
if the MAC address is not known, no IP address is handed out
by the DHCP server.
a given MAC address is always given the same IP address, making
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip at ...13190...
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 505 bytes
Desc: not available
More information about the Snort-users