Snort mailing list archives
Re: [Snort-sigs] ARP scan
From: "jon baer" <security () jonbaer net>
Date: Mon, 6 Oct 2003 10:30:57 -0400
Messagewhile there are many tools which can acomplish this type of activity, ettercap is the most common: http://ettercap.sourceforge.net here is an archive of jeff's analysis of how the arp preprocessor works (not sure if it's outdated): http://www.geocrawler.com/archives/3/4890/2002/6/0/9056309/ - jon ----- Original Message ----- From: Martin Jr., D. Michael To: snort-sigs () lists sourceforge net Sent: Monday, October 06, 2003 9:30 AM Subject: [Snort-sigs] ARP scan I am new to snort but think it can probably due what we need. Recently we have been plagued by an on-slought of computer viruses on our residence hall computer network (I am the Network Admin for a University). In any event, I have been using Ethereal to sniff our network and all of the infected computers seem to have one common denominator... They perform an ARP scan to identify other potential clients to infect and thus perform a Denial of Service attack on the campus as a result. The sniffed traffic looks similar to this: No. Time Source Destination Protocol Info 1 0.000000 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.18? Tell 192.168.103.75 2 0.013977 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.19? Tell 192.168.103.75 3 0.018469 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.20? Tell 192.168.103.75 4 0.034004 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.21? Tell 192.168.103.75 5 0.049736 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.22? Tell 192.168.103.75 6 0.065195 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.23? Tell 192.168.103.75 7 0.081136 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.24? Tell 192.168.103.75 8 0.096509 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff ARP Who has 192.168.143.25? Tell 192.168.103.75 Any suggestions on the best way to get snort to detect and report this type of traffic??? All I need is the hardware address of the culprit. From there I can go to our DHCP server and ascertain the IP and any owner information. Thanks, Michael Martin University of Montevallo
Current thread:
- Re: [Snort-sigs] ARP scan jon baer (Oct 06)