On Wed, 2004-10-27 at 21:19, Robert Collins wrote: > On Wed, 2004-10-27 at 16:37 +1000, Matthew Palmer wrote: > > > Practically speaking, there is no way to stop them if they have physical > > access to the network and/or administrative access to the machine, unless > > you have an intelligent switch which is capable of being told "only let DHCP > > traffic through by default", then getting the DHCP server to change the ACL > > on the port for the requestor MAC address after successful DHCP lease > > assignment. > > Its relatively easy to hook up snort and your dhcp leases file, so that > traffic to from an ip not in there triggers a warning. If your switch is > at all managable, that could well shutdown the problem port, by querying > for the source of the MAC.
Good clue, but would it work if the traffic was not actually using the snort interface but merely passing it. > > Rob > -- Howard. LANNet Computing Associates; Your Linux people <http://www.lannetlinux.com> ------------------------------------------ "When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft." ------------------------------------------ "Flatter government, not fatter government; Get rid of the Australian states." -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
