Snort mailing list archives
Re: ARP packets : important ?
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 5 Mar 2002 14:03:39 -0700 (MST)
On Tue, 5 Mar 2002, Ashley Thomas wrote:
From an IDS point of view is it important to look at arp packets ?is there any security threats / loop holes etc ?
ARP packets with bad information/for non-existant hosts may be indicative of someone playing games in order to be able to sniff on a switched network, or get traffic to flow through them in order to hijack connections. There is also at least one ARP exploit I'm aware of that will allow someone to cause Cisco equipment to drop off the network (Jeff?) However, to be able to spot many of these attacks, you have to have an idea of what "normal" ARP traffic is. This would require a database of MAC and IP addresses. I don't know if there is a plugin for Snort to do this. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ARP packets : important ? Ashley Thomas (Mar 05)
- Re: ARP packets : important ? Ryan Russell (Mar 05)
- Re: ARP packets : important ? Jeff Nathan (Mar 05)
- Re: ARP packets : important ? Ryan Russell (Mar 05)