On Mon, May 20, 2002 at 09:31:16PM +0200, Maciej Soltysiak wrote: > > Maybe this is an opportunity for something as an extension or parallel > > to arpwatch, perhaps called spoofwatch, which builds up a similar list > > of MAC/IP pairs for arp requests on the network, but then continuously > > compares those against all the packets it sees, to check whether > > machine 1 with MAC address mac1 and IP address IP1 ever sends out a > > packet with IP address IP2 as the source, or alternatively if it ever > > sees a packet with a MAC address which doesn't belong to a system on > > the network. > Now that you mention it Snort can do that, and checks every packet, which > is great. It just needs a table of valid MACs/IPs > > Unfortunately, here, with over 800 computers, managed via BOOTP on 4 > different LANs and cisco routers it would require to set up an additional > linux host with all interfaces to all LANs and update the MAC/IP tables > every time there is a change to bootptab. Hmm, i think it's a good idea.
800 computers on 4 LANs. Hmmm. Follow the logic: Plugging the snort box into all these 4 LANs requires that snort sees all the packets on each LAN, which means that you either have no switch in each LAN or need to mirror all the traffic to the snort switch port. Hmmm. Good luck. Ramin > > Now i think it is a great solution, which did not come into my mind. > Thanks. > > > Antony. > Maciej > >
