Snort mailing list archives
Re: How to detect massive ARPing from Ettercap?
From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 27 Sep 2002 13:44:39 -0400
twig les wrote:
Hey *, my latest spare-time toy is ettercap (ettercap.sourceforge.net), which among many other things, can map its subnet in about 10 seconds thru massive arping. Unfortunately my snort box didn't see this happening. More accurately, it saw it but didn't generate any alerts. I know it saw it because I ran tcpdump on the snort box also.
Yea. I played with it a few months ago and lost a lot of confidence in switched networks and SSH as packet sniffing prevention measures :) There is an arpspoof module listed in the snort.conf file. I haven't tried it. Of course, the box doing the monitoring would have to be on the segment where the arpspoofing is occurring. You wouldn't see it on the other side of a router interface. Another tool I've heard of in this respect is arpwatch. Again, it would have to be deployed on each segment. You may be able to do something with regular monitoring of your core router arp caches too. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to detect massive ARPing from Ettercap? twig les (Sep 27)
- Re: How to detect massive ARPing from Ettercap? Gary Flynn (Sep 27)