Re: Tcp session hijacking

[waldo kitty <wkitty42 () windstream net>]

top posting "corrected" to inline for readability... see my reply below...

On 8/19/2014 1:00 PM, Meysam Farazmand wrote:
> On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:
> >     Wouldn’t your MAC addresses just be those of your routers anyway?  Any
> >     non-trivial network (ie. Enterprise) probably won’t get much benefit from
> >     Snort trying to detect this.  You’re better off using the anti-mac spoofing
> >     features of your switches, IMO.____
>
> Hi Jefferson,
>
> When we do a man in the middle attack, all of devices arp tables updates with
> mac address of attacker. So this changes in mac address should be detect as
> session hijacking with stream5 preprocessor. Because stream5
> check_session_hijacking option rely on changes in mac address of a tcp connection.

i think that what jefferson is attempting to point out is that MAC addresses are 
only good on the current link... in other words, this chart shows 3 MAC address 
changes in the flow of traffic from A to B...

     A -> router1 -> router2 -> B

and this one shows 5 changes...

     A -> router1 -> router2 -> router3 -> router4 -> B

the source MAC and destination MAC inside the packet will change at each "->"... 
IIRC, this is the same for hubs and switches, too...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!