IDS mailing list archives

Re: filtering ARP and detecting ARP spoofing

From: oudot laurent <oudot.laurent () wanadoo fr>
Date: Tue, 15 Apr 2003 23:17:32 +0200



Mark a écrit:

Hi, on lesser secure machines I completely turn off ARP on the interface
with the ifconfig command, and static arp anything that the computer needs
to talk to like its default gateway.  This seems to make the Linux not try
to arp anything, and ignores others arping.

Also, you can use ARPWATCH to tell you when an IP address changes MAC or
visaversa I think.

If you are interesting in IDS tool, you can also use preldue-nids fromPrelude-IDS (http://www.prelude-ids.org) which has the same feature (IPassociated with MAC) and others about ARP attacks (plugin called"ArpSpoof") [Attempted ARP cache overwrite attack...]


Easy to configure : /usr/local/etc/prelude-nids/prelude-nids.conf
...
[ArpSpoof]
#
# Search anomaly in ARP request.
#
# The "directed" option will result in a warn each time an ARP
# request is sent to an address other than the broadcast address.
#
# directed;
# arpwatch=<ip> <macaddr>;
...

Most of my sniffing machines I use an ethernet cable that let's the computer
listen but never transmit, and turn off ARP on the Interface so the Linux
doesn't try to ARP things, it's way harder to hack a machine if you can't
interact with it.


Don't u have problems with full duplex networks ?


Hope this helps you some.


Me too.

laurent.

-Mark

----- Original Message -----
From: "falcifer" <falcifer2001 () yahoo es>
To: <focus-ids () securityfocus com>
Sent: Monday, April 14, 2003 9:02 PM
Subject: filtering ARP and detecting ARP spoofing

Hi
I've 2 questions:

1- Are there any way to filter ARP packets on Linux (I've heard about
arptables but I wasn't able to find how can I use it)

2-In a environmet with a dynamics IPs, how can implement a IDS to detect
arp spoofing? what rules could I implement for it? are any Cisco switch
that implement any of these features?

Thanks at all
--
falcifer <falcifer2001 () yahoo es>


--------------------------------------------------------------------------


----

INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM


capabilities -

including intrusion identification, relevancy, direction, impact and


analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,


and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids



------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids




------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids

Current thread:

filtering ARP and detecting ARP spoofing falcifer (Apr 15)
- Re: filtering ARP and detecting ARP spoofing Mark (Apr 15)
  - Re: filtering ARP and detecting ARP spoofing oudot laurent (Apr 15)