Snort mailing list archives

Re: Tcp session hijacking

From: Meysam Farazmand <farazmand.meisam () gmail com>
Date: Tue, 19 Aug 2014 22:34:02 +0430

Hi Waldo,

My testing network consists of four pc and an unmanaged switch and i don't
have any router. As i said before, i poisioned all of pc and switch arp
tables with "ettercap".so, when bening pc make a tcp connection to snort pc
and we poision its arp tables, the source mac address changes to mac
address of attacker and i expect, snort detect this changing.
On Aug 19, 2014 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:


top posting "corrected" to inline for readability... see my reply below...

On 8/19/2014 1:00 PM, Meysam Farazmand wrote:

On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <

Shawn.Jefferson () bcferries com> wrote:


    Wouldn’t your MAC addresses just be those of your routers anyway?

Any

    non-trivial network (ie. Enterprise) probably won’t get much

benefit from

    Snort trying to detect this.  You’re better off using the anti-mac

spoofing

    features of your switches, IMO.____


Hi Jefferson,

When we do a man in the middle attack, all of devices arp tables updates

with

mac address of attacker. So this changes in mac address should be detect

as

session hijacking with stream5 preprocessor. Because stream5
check_session_hijacking option rely on changes in mac address of a tcp

connection.

i think that what jefferson is attempting to point out is that MAC
addresses are
only good on the current link... in other words, this chart shows 3 MAC
address
changes in the flow of traffic from A to B...

     A -> router1 -> router2 -> B

and this one shows 5 changes...

     A -> router1 -> router2 -> router3 -> router4 -> B

the source MAC and destination MAC inside the packet will change at each
"->"...
IIRC, this is the same for hubs and switches, too...

--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Tcp session hijacking, (continued)
- - - Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
    - Re: Tcp session hijacking Jefferson, Shawn (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking waldo kitty (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)