Re: ARP packets : important ?

[Jeff Nathan <jeff () snort org>]

Ryan Russell wrote:
> On Tue, 5 Mar 2002, Ashley Thomas wrote:
> > > From an IDS point of view is it important to look at arp packets ?
> > is there any security threats / loop holes etc ?
>
> ARP packets with bad information/for non-existant hosts may be indicative
> of someone playing games in order to be able to sniff on a switched
> network, or get traffic to flow through them in order to hijack
> connections.  There is also at least one ARP exploit I'm aware of that
> will allow someone to cause Cisco equipment to drop off the network
> (Jeff?)
>
> However, to be able to spot many of these attacks, you have to have an
> idea of what "normal" ARP traffic is.  This would require a database of
> MAC and IP addresses.  I don't know if there is a plugin for Snort to do
> this.
>
>                                         Ryan

Er, yeah..

there are plenty of ARP games to be played but placing IDS on each of
your collision domains can be a complicated mess.  Snort has
spp_arpspoof which allows you to specify a mapping of IP addresses to
MAC addresses (if you're feeling brave).  If you don't specify a list,
you can use it to look for a few anomalies in ARP traffic.  Your mileage
may vary.

-Jeff


-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users