Snort mailing list archives
Re: [Snort-Users] [Snort]: can we use it to detect ARP cache poisoning
From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 25 Jul 2011 08:54:24 +0100
You want to use the arpspoof preprocessor in the snort.conf configuration file. Snort generally detects attacks at higher levels in the OSI model and usually isn't ideal for detecting datalink layer attacks such as arp spoofing and so on. Regards, Kevin FROM THE MANUAL: 2.2.12 ARP Spoof Preprocessor The ARP spoof preprocessor decodes ARP packets and detects ARP attacks, unicast ARP requests, and inconsistent Ethernet to IP mapping. When no arguments are specified to arpspoof, the preprocessor inspects Ethernet addresses and the addresses in the ARP packets. When inconsistency occurs, an alert with GID 112 and SID 2 or 3 is generated. When ”-unicast” is specified as the argument of arpspoof, the preprocessor checks for unicast ARP requests. An alert with GID 112 and SID 1 will be generated if a unicast ARP request is detected. Specify a pair of IP and hardware address as the argument to arpspoof detect host. The host with the IP address should be on the same layer 2 segment as Snort is. Specify one host IP MAC combo per line. The preprocessor will use this list when detecting ARP cache overwrite attacks. Alert SID 4 is used in this case. Format preprocessor arpspoof[: -unicast] preprocessor arpspoof_detect_host: ip mac Option Description ip IP address. mac The Ethernet address corresponding to the preceding IP. Example Configuration The first example configuration does neither unicast detection nor ARP mappingmonitoring. The preprocessormerely looks for Ethernet address inconsistencies. preprocessor arpspoof 80 The next example configuration does not do unicast detection but monitors ARP mapping for hosts 192.168.40.1 and 192.168.40.2. preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01 The third example configuration has unicast detection enabled. preprocessor arpspoof: -unicast preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01 On 24 July 2011 19:07, subh singh <subh.singh007 () gmail com> wrote:
hi all, I want some suggestion about ARP cache poisoning. How can we mitigate/ prevent ARP cache poisoning attack using snort and which module is responsible for same. Can we add some more features to Snort to work over ARP cache poisoning. --regards subhash -- To post to this group, send email to snortusers () googlegroups com For more information, please visit http://www.snort.org
------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Re: [Snort-Users] [Snort]: can we use it to detect ARP cache poisoning Kevin Ross (Jul 25)