Snort mailing list archives
Re: spoof detection in snort
From: roel () SiliconDefense com
Date: Tue, 01 May 2001 14:56:10 -0700
Geoff, I've been working off and on on this, it deals with changing MAC addresses and DHCP. (That is where it gets complicated really.) Hopefully I will release this piece of code shortly after my short vacation. (couple weeks from now, barring nothing else major comes up.) It straddles the line between your manual and auto, it does auto, what it can do auto, it does require that you give it the default router however. The reason for that is so it can associate one particular mac address with foreign IP addresses, so it can directly identify spoofing attempts. It also tracks if there is more than a 1:1 relationship. (Multiple MAC's have same IP, Multiple IP's have same MAC.) The only weakness is that it need to be plugged in to a local area network of the ethernet variety, sitting it behind a router buys you very little.... roel
G'day. Unless snort already has this ability, which I have missed somwhow, I would like to sit down and write a spoof alert preprocessor. Comments are solicited on the following plan. ------- Spoof Alert Preproccesor Purpose: Inspect network traffic to determine if a packet with a foreign IP source address has the ARP address of (one of) the adjacent router(s). If no, then flag the packet as a likely spoof. Settings: AUTO. In auto mode, the preprocessor analyzes the routing table for the host that snort is running on and automatically associates the ARP address with the routers IP address. No muss, no fuss. The primary question is should that be done by merely querying the routing table on the host, or actually generating route requests from the application in order to take into account multiple routing posssibilities from the local network segment that the host may not be aware of (think hosts with default routes and no routing daemons enabiled). The primary advantage to generating queries is if a router ARP address changes for some reason (regular network maintanence or failed router) without the knowledge of the security team running the NIDS box, and thereby generating reams of false alarms. If a change is detected, the preprocessor should log that fact in the form of an alert. In this case the route query would be generated upon startup of the application, and then merely wait for events, there should be no futher route queries. MANUAL. In manual mode, provide a list of IP addresses and possibly assocated ARP addresses of valid routers on the local network segment. --------------------------------- I'm a neophyte at network programming, so good pointers to resources would be appreciated as well. Additionally, if there are code examples of utilities that do this now, I would appreciate a pointer in that direction. -geoff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- roel Silicon Defense: Technical Support for Snort! http://www.SiliconDefense.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spoof detection in snort Geoff the UNIX guy (Apr 29)
- Re: spoof detection in snort Jason Haar (Apr 29)
- Re: spoof detection in snort roel (May 01)