Snort mailing list archives
Re: Tcp session hijacking
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 19 Aug 2014 13:49:53 -0400
top posting "corrected" to inline for readability... see my reply below... On 8/19/2014 1:00 PM, Meysam Farazmand wrote:
On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:Wouldn’t your MAC addresses just be those of your routers anyway? Any non-trivial network (ie. Enterprise) probably won’t get much benefit from Snort trying to detect this. You’re better off using the anti-mac spoofing features of your switches, IMO.____Hi Jefferson, When we do a man in the middle attack, all of devices arp tables updates with mac address of attacker. So this changes in mac address should be detect as session hijacking with stream5 preprocessor. Because stream5 check_session_hijacking option rely on changes in mac address of a tcp connection.
i think that what jefferson is attempting to point out is that MAC addresses are only good on the current link... in other words, this chart shows 3 MAC address changes in the flow of traffic from A to B... A -> router1 -> router2 -> B and this one shows 5 changes... A -> router1 -> router2 -> router3 -> router4 -> B the source MAC and destination MAC inside the packet will change at each "->"... IIRC, this is the same for hubs and switches, too... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Tcp session hijacking, (continued)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Jefferson, Shawn (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking waldo kitty (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)