Re: Prevent ARP attack on NIDS sniffer.

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Sam Wun wrote:
> Dear all,
>
> How can I configure a NIDS sinffer to avoid ARP attack?

What kind of an attack based on the ARP protocol are you afraid of? Some
more information on this please...

> If an NIC of the NIDS configured without IP but still need to enabled
> MAC configured (by default assigned by system).

MAC = Media Access Control is for every network device theoretically
unique 48bit long number. You can't disable it: It is being given to
every device by its hardware manufacturer. It can be changed but AFAIK
you can't delete it. What you probably mean is the ARP protocol, which
is making use of the MAC-Addresses.

Under Linux you can configure your nic without an IP and without
activating the ARP protocol so it will never response to the ARP
requests and remain almost "unvisible" that way:

ifconfig -i eth0 -arp up

If that is what you ment. ;)

> May be my question is out of scope, but really wondering how to hide MAC
> as well?? and the impact to the NIDS?
>
> Thanks
> sam

Regards,
Edin

-- 
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users