We use Cisco networking products, specifically 2900, 4000, and 6000 series switches. We DON'T currently have Cisco Works.
Our IDS system detected a system sending bad traffic to a known hacking site. Unfortunately, the IDS spotted the traffic on a Saturday, and we don't have a 24-hour shift, so we didn't get the notice until Monday morning.
The IDS gave us the system's IP address, and through DHCP we got the system's MAC address. But the system isn't responding to pings, and it's MAC address isn't in the ARP cache of any of our switches. So the system is currently offline. The host name is completely different from our corporate naming conventions, so we're pretty sure someone brought their laptop in over the weekend and sent some bad traffic over our network. Whether intentional or accidental, we want to find that laptop.
If the system was currently online, we could easily find its port through the switches' ARP caches. Since it's offline, we can't find it right now. We're going to block that MAC address, but is there a way to be notified when that MAC address pops up again?
Start Free Trial
