Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

intrusion log alert

Wanda_5
Frequent Advisor

intrusion log alert

hi everyone,

i am a bit confused with the intrusion log that i got. it reported a mac address that is the same one configured to that port (port-security option).

Isn't it that intrusion logs list mac addresses that the switch detected on a certain port that is different from what is configured on the port security option?

can anyone explain this to me? thanks
2 REPLIES
Ernest Ford
Trusted Contributor

Re: intrusion log alert

Wanda,

I think you need to tell us more about what you need to know - what software/hardware is generating this "intrusion alert"? How is it configured?

Whilst I have seen intrusion detection software that uses a list of "known good" MAC addresses to function, I would not consider this a particularly reliable method.

Personally I have witnessed these systems give numerous false positives and I am also aware of several ways in which they can be very easily bypassed - in fact - any traffic - legitimate or not - entering your LAN through a router will show the MAC address of that router, so that it is impossible to determine whether it is an intrusion or just normal traffic based on the MAC address alone.
Wanda_5
Frequent Advisor

Re: intrusion log alert

hi ernest,

i am using hp4108gl. configured it with port-security so that only one MAC address will be allowed to access each port. otherwise, the port will be disabled. This port-security option is an option on every procurve switches (i think).. and logs it there..

And because it is a switch, it can be configured so that only particlar MAC addresses can access the switch. If another say, server was plugged in a port, it will not connect due to the different MAC address allowed for the port.

in my case, the port that generated the false log is a unix server.. had exactly the same MAC address configured. So, why did the procurve switch logged it as an "intruder"?

anyway, correct me if im wrong, but from what you said, does it mean that in the intrusion logs, the switch logs a device even if it is not technically "intruding" because practically, that device is allowed to access that port. im so confused..