Re: Disable spoofing ARP in kill packets

[Jeff Nathan <jeff () snort org>]

Laurent Cabal wrote:
>         Hi,
>
> I have some problems to install snort in a switched environnement.
>
> Indeed, on most of the switch, it is not possible to disable the MAC
> learning on a port. When the kill packet arrives in the switch, it learns
> the source MAC address. But this mac address have been learnt before on
> another port of the switch. So some frames have been lost because they have
> been sent on the the port linked with the snort.
>
> This problem can be solved if we disable the MAC address learning on the
> port linked to the snort. But this fonctionnality does not exist on all
> switch.
>
> Does anyone have a solution for me?
>
> I would like to try to disable the spoofing ARP in the kill packet. Do you
> know if it is possible?

> Thanks by advance,
>
> ----------------------------------------------------------------------------
> ------------
>
>
> Laurent Cabal
>
> Ingénieur Sécurité

Hello.

Snort doesn't "spoof" the ARP in the kill packet.  The originating
hardware address will be the hardware address of the NIC in your snort
sensor.  The hardware address is only relevant in the switch with regard
to the snort sensor being able to deliver Ethernet frames to the router. 

Therefore, you could write a shell script that pings your router
periodically to create the appropriate hardware address entry in your
switch and ensure it doesn't expire. 

-Jeff 

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users