[Snort-users] Rogue system detection

Skip Carter skip at ...1552...
Tue Apr 26 11:20:19 EDT 2005

> I have a question that's not necessarily a snort thing, but I have no idea
> what other list to ask, so here goes.  What are people using out there for
> rogue system detection?  I'm trying to figure out how to passively detect
> when a 'new' system comes online in the local network and possibly detect
> the os and such.  I imagine the tool would have to be able to match MAC
> addresses to deal with changing addresses and DHCP, along with report/alert
> when something new comes online.  Maybe RNA?

	We use 'arpwatch' for this purpose.  It will send an email notification
	when it sees a new MAC address or sees an IP-MAC pair change.

	We also modified arpwatch, for our internal use, to report to a database
        so that the current MAC address table for a given network can be 
        through a web interface.

        Having the info in a database also makes it practical to use a MAC 
        whitelist for the DHCP server.  This gets you two things: 

                if the MAC address is not known, no IP address is handed out
                by the DHCP server.

                a given MAC address is always given the same IP address, making
                auditing easier.


 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Network Security Services   email: skip at ...13190...
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940            

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 505 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050426/084123d2/attachment.sig>

More information about the Snort-users mailing list