Re: Detecting Broadcast with Snort

[Matt Kettler <mkettler () evi-inc com>]

Of some note, arpwatch has some syslog output which is sometimes helpful in 
detecting a borked NIC..

It will report a bogon or broadcast alert to syslog if any machine makes 
certain wildly borked arp requests.

ie:
arpwatch: ethernet broadcast 10.0.x.x ff:ff:ff:ff:ff:ff

arpwatch: bogon 169.254.x.x ff:ff:ff:ff:ff:ff


The first indicates that the *source* MAC address of an arp packet sent by 
10.0.x.x was a broadcast... (ERK!)

The "bogon" indicates that an arp request has a source IP address that's 
not part of the local network's IP addresses (ACK!)


At 01:13 PM 2/21/2003 -0800, twig les wrote:
> Actually I think we're both on the same track, the destination
> being that snort shouldn't do anything.  If your network has
> excessive broadcasts then it has a problem (worm, arp storm,
> whatever).  The admin needs the fix the underlying problem, not
> depend on snort as a swiss-army knife (that's netcat anyway:) to
> do everything.  Notification is enough.
>
>
> --- Matt Kettler <mkettler () evi-inc com> wrote:
> > Oh, I agree it would be a neat detection plugin.. and
> > something that can
> > likely be implemented by writing a plugin to the snort code.
> >
> >   I was more going on just wondering what "corrective action"
> > snort was
> > expected to take :)
> >
> > At 11:41 AM 2/21/2003 -0800, twig les wrote:
> > >This would be a neat plugin though - broadcast threshold
> > alerts.
> > >  Once we netadmin types get a baseline it'd be nice to have
> > >warning when NIC driver goes nutso and starts broadcasting or
> > >somthing.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SlickEdit Inc. Develop an
> > edge.
> > The most comprehensive and flexible code editor you can use.
> > Code faster. C/C++, C#, Java, HTML, XML, many more. FREE
> > 30-Day Trial.
> > www.slickedit.com/sourceforge
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
> The most comprehensive and flexible code editor you can use.
> Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
> www.slickedit.com/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users