Re: [ISSForum] Custom Signature Question

Fri, 21 May 2004 11:36:53 -0700 

As I understand, you want to find user by workstation NetBIOS name or Login
in LAN. If it is so you can create user defined event in RNE with context
User_Login_Name (detailed information available in Network Sensor Policy
Guide Version 7.0, Cahpter 4 and Appendix A).

Another approach.
You can perform NBT scan of all network every day and store results
somewhere. Then you will able to search these results to find out
correspondence between IP, MAC, Login and Worstation name of every windows
machine in your LAN (of course if user doesn't use personal firewall and
doesn't filter NetBIOS traffic). You can use standard nbtstat utility, but
I advise to use nbtscan (it works faster) utility that is available for *IX
OSs, but ported on Win by cygwin.dll.
When you get MAC (if you've got IP you can get MAC from router's arp table)
of desired computer you can find switch and port. Then, if you have
crossing table, by switch/port you can find location of computer.

Hope this helps.

---
Best regards, Sergey V. Soldatov.
tel/fax +7 095 745 89 50 (2663)


                                                                                       
                               
              "Baxter, Kevin"                                                          
                               
              <[EMAIL PROTECTED]        To:       <[EMAIL PROTECTED]>                  
                       
              om>                                cc:                                   
                               
              Sent by:                           Subject:  [ISSForum] Custom Signature 
Question                       
              [EMAIL PROTECTED]                                                        
                        
                                                                                       
                               
                                                                                       
                               
              21.05.2004 02:31                                                         
                               
                                                                                       
                               
                                                                                       
                               




A workgroup with a derogatory name keeps appearing on our network. We
have been trying to track it down with no success. Is possible to write
a signature for network sensor to get us the name or IP of this machine?
Any help would be appreciated.



Thanks

Kpb







_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.





_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 
Barfield Road, Atlanta, Georgia, USA 30328.

Reply via email to