[Snort-users] Alert on new IP in use?

Williams Jon WilliamsJonathan at ...2134...
Mon Aug 1 05:47:30 EDT 2005


I realize your question was posted to the snort list, but there is a
neat tool called Never Before Seen (NBS) by Marcus Ranum that does this.
I worked with it for a while, but got pulled off on other projects so I
haven't touched it in a while.  Should work well for your application,
though.

You can find NBS at Marcus' website:

http://www.ranum.com/security/computer_security/index.html

Jon 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Rich
Adamson
Sent: Monday, August 01, 2005 8:15 AM
To: Snort Users Postings
Subject: [Snort-users] Alert on new IP in use?


Looking for a way to monitor a small banking network and generate an
alert when an unused IP address is observed. The current IP's are not
consecutive.

Example: we have 26 static IP addresses assigned to workstations and
servers. If a 27th (or greater) address appears on the wire, generate an
alert. (Note: not very interested in watching MAC addresses as some of
the IP's are behind another layer-3 device.)

Thoughts?




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list