TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
On the subject of looking for connection attempts to owned but unused
addresses I did toy with the idea of using the arp alert.
My understanding is that the arp alert is designed to detect hosts
which have failed, by detecting the unanswered arps which would result
in such a situation.
Well I'm not too interested in that use of the arp alert because I
have other mechanisms for detecting hosts which have gone down.
However imagine you have a rogue LOCAL host doing a LOCAL network
scan; that should generate lots of unanswered arp requests (when i say
local i mean on the same subnet, so router mac addresses aren't
applicable).
However if counters which realsecure uses for this alert are based on
target ip address then that's not so useful for what i had in mind.
Sure it would be great for spotting failed hosts, by including in the
counter all the arp requests from all sources to the given target. I
was hoping that I could somehow use the event propagation section of
the alert to tell realsecure to base its counters on arp requests by
SOURCE address. I did play around with the event propagation settings
but i imagine the internal counters are probably held by TARGET
address.
Yes I know there are some special events for detecting scans, and
they'd be okay for remote scans of my switch which would get passed to
the network engine, however they're less good for one bit of kit ON
the switch scanning other bits of kit ON the same switch - given the
number of hosts i'm running i couldn't mirror all inter-host traffic!
The one advantage of the arp alert in this situation is that arp
requests are broadcast packets, so all arp requests from any server on
the switch WOULD be broadcast out of the mirror port to the network
engine. That way I'd be able to alert if any device went arp request
crazy.
And yes, i realise i'd need to rely on the proper scan-detection
events to detect scans to/from my the kit on my switch because they'd
only need to arp once for the local router.
Jason
On Fri, 25 May 2001 21:59:13 -0700, you wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
> I routinely watch for connection atempts to addresses I own, but
>that don't currently have machines assigned. Perhaps 10% of the
>time, these turn out to reveal configuration errors; the other 90% of
>the time, they're intruders trying to *find out* what addresses have
>exploitable machines attached.
> So I'd say there's merit.
>
>David Gillett
>
Jason.Renard at Mail.Com
Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.
