Network Security: Detailed info on RE: Tracking back internal incidents to users, not IPs

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Focus-IDS

[Top] [All Lists]

RE: Tracking back internal incidents to users, not IPs

from [Cojocea, Mike (IST)] Network Security

[Permanent Link]

Subject:	RE: Tracking back internal incidents to users, not IPs
Date:	Fri, 24 Feb 2006 08:44:01 -0500

then queries your DHCP server(s) for active leases with MAC adresses,

compares the MAC address to the switch's MAC table, then queries your
database/spreadsheet for jack number to switch port assignments and
updates the user object via an LDAP modify command.  


Have a look at Netdisco (netdisco.org). It does an SNMP walk and dumps
the switch ARP/IP tables into a database which you can query using
CGI+Apache. I used it in a 10K host network and it helped me a lot.
Using Netdisco you can track down a MAC to a port and shut down the port
in a couple of seconds. 

Thanks,
Mike

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Tracking back internal incidents to users, not IPs, Charles Kaplan Re: Tracking back internal incidents to users, not IPs, Adam Powers Re: Tracking back internal incidents to users, not IPs, Kevin Re: Tracking back internal incidents to users, not IPs, John H. Sawyer Re: Tracking back internal incidents to users, not IPs, List Spam Re: Tracking back internal incidents to users, not IPs, Roland Dobbins Re: Tracking back internal incidents to users, not IPs, Michael Allgeier RE: Tracking back internal incidents to users, not IPs, Cojocea, Mike (IST) <= Re: Tracking back internal incidents to users, not IPs, Roland Dobbins Re: Tracking back internal incidents to users, not IPs, Jason Haar

Previous by Date:	Re: Testing IDS with tcpreplay, Bob Walder
Next by Date:	Re: Testing IDS with tcpreplay, Aaron Turner
Previous by Thread:	Re: Tracking back internal incidents to users, not IPs, Michael Allgeier
Next by Thread:	Re: Tracking back internal incidents to users, not IPs, Roland Dobbins
Indexes:	[Date] [Thread] [Top] [All Lists]