Re: How to detect massive ARPing from Ettercap?

[Gary Flynn <flynngn () jmu edu>]

twig les wrote:
> Hey *, my latest spare-time toy is ettercap
> (ettercap.sourceforge.net), which among many other
> things, can map its subnet in about 10 seconds thru
> massive arping.  Unfortunately my snort box didn't see
> this happening.  More accurately, it saw it but didn't
> generate any alerts.  I know it saw it because I ran
> tcpdump on the snort box also.

Yea. I played with it a few months ago and lost
a lot of confidence in switched networks and SSH
as packet sniffing prevention measures :)

There is an arpspoof module listed in the snort.conf file.
I haven't tried it.

Of course, the box doing the monitoring would have to
be on the segment where the arpspoofing is occurring.
You wouldn't see it on the other side of a router
interface.

Another tool I've heard of in this respect is arpwatch.
Again, it would have to be deployed on each segment.

You may be able to do something with regular monitoring
of your core router arp caches too.


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users