Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
R-C-D157495y@popoca sure but in case of any damage , who is in charge ? That user or there is still some other evidences ?
-
mt3o19135y@R1100 that's a broad question. If you're asking about network level - firewalls do deep packet inspection, tools are so clever they can for example disable a feature in Messanger.
Heuristics are being used for detection of malicious activity.
Faked mac addresses are useless because the traffic goes thru some path and specific network interface is at the other side of the wire. It's easy to track source of that package if you really want to. Not to mention, you don't have proper TCP/IP without real mac. -
If network logging is enabled, compare real vs configured situation.
If user's mac is connected via the same port as always, it's most likely the user's fault.
If user's mac is coming through a different physical port [ergo from a different seat in the office] than usually, I'd consider it an attack by someone else.
Making a timeline of usage of both ports would also help.
Related Rants
I was wondering how a sysadmin would know if the user sending malicious traffic is the real attacker or his account has been hacked ?
(Also probable that the attacker has faked his mac address to user's device)
question
how
forensics
hmmm