Snort mailing list archives
Re: ARP poisoning and sniffing in a Switched Network
From: twig les <twigles () yahoo com>
Date: Wed, 17 Dec 2003 13:33:01 -0800 (PST)
--- CGhercoias () TWEC COM wrote:
Hello, Has anyone heard about Cain&Abel for Windows -- http://www.oxid.it/cain.html ? ...it has a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs by hijacking IP traffic of multiple hosts at the same time. The sniffer can also analyze encrypted protocols such as SSH-1 and HTTPS if used with APR (ARP Poisoning Routing) and a Man-in-the-middle situation... I tested it personally and it is impressive. You can sniff anything from anywhere within the same subnet, it can spoof any IP address and any MAC address. Is decrypting SSH sessions, telnet and HTTPS sessions. As far I can tell -- I don't want something like this in my corporate network! Is there any rule for snort to catch this kind of ARP (illegal) traffic? Assuming that I turn on 'Port Security' in all switches, the problem still remains if some disgruntled employee is installing it and is making use of a real IP and a real MAC address. Not saying that it can cause DOS in the network because of the ARP poisoning. As far as I know ARP is a stateless protocol that does not require any kind of authentication, so a simple ARP Reply packet sent to each host -- will force an update in their ARP Cache -- therefore ARP poisoning.
Yes, I have Cain&Abel (really fun tool) and yes there is a preprocessor called arpspoof. Search snort.conf for "#preprocessor arpspoof" and remove the #. There is a price to pay for this preprocessor though. You have to manually map IPs and MACs, yuck. Also if the ARP is not within your broadcast domain you won't see it, so Snort won't know anything about it. If you are really worried about this go for it. Also, enabling port protect (I assume you are referring to the small Cisco Catalyst feature) is a great way to achieve compartmentalization with little effort on your part, and most hosts should never talk to each other directly anyhoo.
Thank you, ___________________________ Catalin Ghercoias WEB/Network Security Administrator website: http://www.fye.com The content of this communication is classified as Trans World Entertainment Confidential and Proprietary Information. As such, it is intended solely for the use of the individual or entity to whom it is addressed and only others who are authorized to receive it. If you are not one of those, you are hereby notified that any disclosure, copying, distribution, or action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this communication and then deleting it from your system.
Ouch, pretty mean policy, I'm deleting this message now. ;-) ===== ----------------------------------------------------------- Get a taste of Religion ... eat a priest! ----------------------------------------------------------- __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ARP poisoning and sniffing in a Switched Network CGhercoias (Dec 17)
- Re: ARP poisoning and sniffing in a Switched Network twig les (Dec 17)