IDS mailing list archives
Re: filtering ARP and detecting ARP spoofing
From: "Mark" <mark () uniontown com>
Date: Tue, 15 Apr 2003 16:47:59 -0400
Hi, on lesser secure machines I completely turn off ARP on the interface with the ifconfig command, and static arp anything that the computer needs to talk to like its default gateway. This seems to make the Linux not try to arp anything, and ignores others arping. Also, you can use ARPWATCH to tell you when an IP address changes MAC or visaversa I think. Most of my sniffing machines I use an ethernet cable that let's the computer listen but never transmit, and turn off ARP on the Interface so the Linux doesn't try to ARP things, it's way harder to hack a machine if you can't interact with it. Hope this helps you some. -Mark ----- Original Message ----- From: "falcifer" <falcifer2001 () yahoo es> To: <focus-ids () securityfocus com> Sent: Monday, April 14, 2003 9:02 PM Subject: filtering ARP and detecting ARP spoofing
Hi I've 2 questions: 1- Are there any way to filter ARP packets on Linux (I've heard about arptables but I wasn't able to find how can I use it) 2-In a environmet with a dynamics IPs, how can implement a IDS to detect arp spoofing? what rules could I implement for it? are any Cisco switch that implement any of these features? Thanks at all -- falcifer <falcifer2001 () yahoo es> --------------------------------------------------------------------------
----
INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM
capabilities -
including intrusion identification, relevancy, direction, impact and
analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- filtering ARP and detecting ARP spoofing falcifer (Apr 15)
- Re: filtering ARP and detecting ARP spoofing Mark (Apr 15)
- Re: filtering ARP and detecting ARP spoofing oudot laurent (Apr 15)
- Re: filtering ARP and detecting ARP spoofing Mark (Apr 15)