When you say "on the wire" do you mean they're on your local LAN or coming across from the Internet?Originally Posted by bulgin
Need to grab attackers mac address
Someone is repeatedly attacking our network with scans and brute force attempts (on the wire and also on our wireless gateway, and from the logs their MAC address keeps changing to a fake one (doesn't register with any vendor). I heard somewhere about a program that can send a type of response to such attackers to susss out their real MAC address. Does such a thing really exist? If so, I want it!
Thanks!
When you say "on the wire" do you mean they're on your local LAN or coming across from the Internet?
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Sorry, not clear -- they are coming in from outside. IPCop's logs show multiple attempts and Snort is throwing out alerts. Their IP Address is changing daily. We have no web server and this network is setup only for accessing the internet. All ports are blocked to the outside so I don't fret that they could actually do any harm, it's just annoying and I'd like to grab their MAC address --although presumably they've changed that, too.
Ok, so I'm confused, are they actually coming in across your wireless as well?
Are you sure you're not seeing multiple attacks from multiple sources?
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
Well I'm not an expert in pulling out relevant information from the logs but it seems like the logs for the wired interface in IPCop shows a sudden surge in activity from one IP, then hours later, a similiar pattern in the wireless logs interface in IPCop. When they attack from the wireless I'd like to grap their MAC because they must be in range although we are near a public internet site (in fact several), so it could be any number of things happening. Most curious about the program that grabs MAC addresses from connected users -- actually I heard it spills out the guts of the ROM of their mac card. Is there really such a thing? Sounds dangerous.
There is no point, nor do I think there is any way you're going to get the source mac address of the whatever is 'attacking' you. Even if you could get it, what are you going to do with it? The source IP address is more important information than a MAC address.
Gather your logs up as best as you can, make sure that each entry is timestamped in UTC and send them to the Abuse@ address of the offender's ISP. Explain that you want the attacks to cease.
As for attacks on your wireless, just take whatever measures necessary that you wireless is as secured as possible.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
I think you're right. I thought if I could get the MAC we could investigate the holder of that MAC.
...and exactly how would you do that? There's no international registry of MAC address assignments. At best, you'd get the OUI which will tell you the manufacturer, but you'd have no way of finding the owner.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
All you'd get is the MAC of the device from the hop, probably your ISP's router. It wouldn't be the MAC of the attacking IP.
Thorn
Stop the TSA now! Boycott the airlines.
Alas I believe you are all correct. I was nevertheless hoping beyond hope.... Alas....
Posting Permissions