Mark a écrit:
> Hi, on lesser secure machines I completely turn off ARP on the interface
> with the ifconfig command, and static arp anything that the computer needs
> to talk to like its default gateway. This seems to make the Linux not try
> to arp anything, and ignores others arping.
>
> Also, you can use ARPWATCH to tell you when an IP address changes MAC or
> visaversa I think.
>
If you are interesting in IDS tool, you can also use preldue-nids from
Prelude-IDS (http://www.prelude-ids.org) which has the same feature (IP
associated with MAC) and others about ARP attacks (plugin called
"ArpSpoof") [Attempted ARP cache overwrite attack...]
Easy to configure : /usr/local/etc/prelude-nids/prelude-nids.conf
...
[ArpSpoof]
#
# Search anomaly in ARP request.
#
# The "directed" option will result in a warn each time an ARP
# request is sent to an address other than the broadcast address.
#
# directed;
# arpwatch=<ip> <macaddr>;
...
> Most of my sniffing machines I use an ethernet cable that let's the computer
> listen but never transmit, and turn off ARP on the Interface so the Linux
> doesn't try to ARP things, it's way harder to hack a machine if you can't
> interact with it.
Don't u have problems with full duplex networks ?
>
> Hope this helps you some.
>
Me too.
laurent.
> -Mark
>
> ----- Original Message -----
> From: "falcifer" <falcifer2001_at_yahoo.es>
> To: <focus-ids_at_securityfocus.com>
> Sent: Monday, April 14, 2003 9:02 PM
> Subject: filtering ARP and detecting ARP spoofing
>
>
>
>>Hi
>>I've 2 questions:
>>
>>1- Are there any way to filter ARP packets on Linux (I've heard about
>>arptables but I wasn't able to find how can I use it)
>>
>>2-In a environmet with a dynamics IPs, how can implement a IDS to detect
>>arp spoofing? what rules could I implement for it? are any Cisco switch
>>that implement any of these features?
>>
>>Thanks at all
>>--
>>falcifer <falcifer2001_at_yahoo.es>
>>
>>
>>--------------------------------------------------------------------------
>
> ----
>
>>INTRUSION PREVENTION: READY FOR PRIME TIME?
>>
>>IntruShield now offers unprecedented Intrusion IntelligenceTM
>
> capabilities -
>
>>including intrusion identification, relevancy, direction, impact and
>
> analysis - enabling a path to prevention.
>
>>Download the latest white paper "Intrusion Prevention: Myths, Challenges,
>
> and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
>
>
>
> ------------------------------------------------------------------------------
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>
> IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -
> including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
>
> Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
>
>
>
------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities -
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Received on Apr 15 2003
Intro
