HPE Community
Switches, Hubs, and Modems
1820294 Members
3313 Online
109622 Solutions
New Discussion юеВ

Re: intrusion log alert

 
Wanda_5
Frequent Advisor

тАО08-30-2004 09:05 PM

тАО08-30-2004 09:05 PM

intrusion log alert

hi everyone,

i am a bit confused with the intrusion log that i got. it reported a mac address that is the same one configured to that port (port-security option).

Isn't it that intrusion logs list mac addresses that the switch detected on a certain port that is different from what is configured on the port security option?

can anyone explain this to me? thanks
0 Kudos
2 REPLIES 2
Ernest Ford
Trusted Contributor

тАО08-31-2004 11:46 PM

тАО08-31-2004 11:46 PM

Re: intrusion log alert

Wanda,

I think you need to tell us more about what you need to know - what software/hardware is generating this "intrusion alert"? How is it configured?

Whilst I have seen intrusion detection software that uses a list of "known good" MAC addresses to function, I would not consider this a particularly reliable method.

Personally I have witnessed these systems give numerous false positives and I am also aware of several ways in which they can be very easily bypassed - in fact - any traffic - legitimate or not - entering your LAN through a router will show the MAC address of that router, so that it is impossible to determine whether it is an intrusion or just normal traffic based on the MAC address alone.
0 Kudos
Wanda_5
Frequent Advisor

тАО09-01-2004 04:53 PM

тАО09-01-2004 04:53 PM

Re: intrusion log alert

hi ernest,

i am using hp4108gl. configured it with port-security so that only one MAC address will be allowed to access each port. otherwise, the port will be disabled. This port-security option is an option on every procurve switches (i think).. and logs it there..

And because it is a switch, it can be configured so that only particlar MAC addresses can access the switch. If another say, server was plugged in a port, it will not connect due to the different MAC address allowed for the port.

in my case, the port that generated the false log is a unix server.. had exactly the same MAC address configured. So, why did the procurve switch logged it as an "intruder"?

anyway, correct me if im wrong, but from what you said, does it mean that in the intrusion logs, the switch logs a device even if it is not technically "intruding" because practically, that device is allowed to access that port. im so confused..
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.