Snort mailing list archives
Re: Tcp session hijacking
From: Meysam Farazmand <farazmand.meisam () gmail com>
Date: Tue, 19 Aug 2014 21:30:26 +0430
Hi Jefferson, When we do a man in the middle attack, all of devices arp tables updates with mac address of attacker. So this changes in mac address should be detect as session hijacking with stream5 preprocessor. Because stream5 check_session_hijacking option rely on changes in mac address of a tcp connection. Also my switch is unmanaged and has no capability of mac spoofing detection. On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:
Wouldn’t your MAC addresses just be those of your routers anyway? Any non-trivial network (ie. Enterprise) probably won’t get much benefit from Snort trying to detect this. You’re better off using the anti-mac spoofing features of your switches, IMO. *From:* Meysam Farazmand [mailto:farazmand.meisam () gmail com] *Sent:* August 19, 2014 1:16 AM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Tcp session hijacking Hi Waldo, Thank you for reply.yes you're right. I am doing a project with snort and my project manager wants me to test snort session hijacking detection capability. If we assume that attacker does not use spoofed MAC address, similarity between session hijacking and mitm is that in both, MAC address of on side changes. So snort should detect this MAC address changing with stream5. Is it correct? On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 () windstream net> wrote: On 8/17/2014 5:37 AM, Meysam Farazmand wrote:Hi all, I used "check_session_hijacking" in stream5 preprocessor for sessionhijackingattacks detection and launched a mitm attack. But snort did not detectit. session hijacking and mitm are not the same... session hijacking is where you take over or continue with someone's existing or previous session... mitm is where you are in the middle and have valid sessions with both parties and pass their traffic across while doing what you want with it in the middle... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Tcp session hijacking, (continued)
- Re: Tcp session hijacking waldo kitty (Aug 17)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking waldo kitty (Aug 17)
- Re: Tcp session hijacking Jefferson, Shawn (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking waldo kitty (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)