Re: [Snort-Users] [Snort]: can we use it to detect ARP cache poisoning

[Kevin Ross <kevross33 () googlemail com>]

You want to use the arpspoof preprocessor in the snort.conf configuration
file. Snort generally detects attacks at higher levels in the OSI model and
usually isn't ideal for detecting datalink layer attacks such as arp
spoofing and so on.

Regards, Kevin

FROM THE MANUAL:
2.2.12 ARP Spoof Preprocessor
The ARP spoof preprocessor decodes ARP packets and detects ARP attacks,
unicast ARP requests, and inconsistent
Ethernet to IP mapping.
When no arguments are specified to arpspoof, the preprocessor inspects
Ethernet addresses and the addresses in the
ARP packets. When inconsistency occurs, an alert with GID 112 and SID 2 or 3
is generated.
When ”-unicast” is specified as the argument of arpspoof, the preprocessor
checks for unicast ARP requests. An
alert with GID 112 and SID 1 will be generated if a unicast ARP request is
detected.
Specify a pair of IP and hardware address as the argument to arpspoof detect
host. The host with the IP address
should be on the same layer 2 segment as Snort is. Specify one host IP MAC
combo per line. The preprocessor will
use this list when detecting ARP cache overwrite attacks. Alert SID 4 is
used in this case.
Format
preprocessor arpspoof[: -unicast]
preprocessor arpspoof_detect_host: ip mac
Option Description
ip IP address.
mac The Ethernet address corresponding to the preceding IP.
Example Configuration
The first example configuration does neither unicast detection nor ARP
mappingmonitoring. The preprocessormerely
looks for Ethernet address inconsistencies.
preprocessor arpspoof
80
The next example configuration does not do unicast detection but monitors
ARP mapping for hosts 192.168.40.1 and
192.168.40.2.
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01
The third example configuration has unicast detection enabled.
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01





On 24 July 2011 19:07, subh singh <subh.singh007 () gmail com> wrote:

> hi all,
>
> I want some suggestion about ARP cache poisoning. How can we mitigate/
> prevent ARP cache poisoning attack using snort and which module is
> responsible for same.
> Can we add some more features to Snort to work over ARP cache
> poisoning.
>
> --regards
> subhash
>
> --
> To post to this group, send email to snortusers () googlegroups com
>
> For more information, please visit http://www.snort.org
------------------------------------------------------------------------------
Storage Efficiency Calculator
This modeling tool is based on patent-pending intellectual property that
has been used successfully in hundreds of IBM storage optimization engage-
ments, worldwide.  Store less, Store more with what you own, Move data to 
the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation