IDS mailing list archives
Re: filtering ARP and detecting ARP spoofing
From: oudot laurent <oudot.laurent () wanadoo fr>
Date: Tue, 15 Apr 2003 23:17:32 +0200
Mark a écrit:
Hi, on lesser secure machines I completely turn off ARP on the interface with the ifconfig command, and static arp anything that the computer needs to talk to like its default gateway. This seems to make the Linux not try to arp anything, and ignores others arping. Also, you can use ARPWATCH to tell you when an IP address changes MAC or visaversa I think.
If you are interesting in IDS tool, you can also use preldue-nids from Prelude-IDS (http://www.prelude-ids.org) which has the same feature (IP associated with MAC) and others about ARP attacks (plugin called "ArpSpoof") [Attempted ARP cache overwrite attack...]
Easy to configure : /usr/local/etc/prelude-nids/prelude-nids.conf ... [ArpSpoof] # # Search anomaly in ARP request. # # The "directed" option will result in a warn each time an ARP # request is sent to an address other than the broadcast address. # # directed; # arpwatch=<ip> <macaddr>; ...
Most of my sniffing machines I use an ethernet cable that let's the computer listen but never transmit, and turn off ARP on the Interface so the Linux doesn't try to ARP things, it's way harder to hack a machine if you can't interact with it.
Don't u have problems with full duplex networks ?
Hope this helps you some.
Me too. laurent.
-Mark ----- Original Message ----- From: "falcifer" <falcifer2001 () yahoo es> To: <focus-ids () securityfocus com> Sent: Monday, April 14, 2003 9:02 PM Subject: filtering ARP and detecting ARP spoofingHi I've 2 questions: 1- Are there any way to filter ARP packets on Linux (I've heard about arptables but I wasn't able to find how can I use it) 2-In a environmet with a dynamics IPs, how can implement a IDS to detect arp spoofing? what rules could I implement for it? are any Cisco switch that implement any of these features? Thanks at all -- falcifer <falcifer2001 () yahoo es> ------------------------------------------------------------------------------INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTMcapabilities -including intrusion identification, relevancy, direction, impact andanalysis - enabling a path to prevention.Download the latest white paper "Intrusion Prevention: Myths, Challenges,and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME?IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME?IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- filtering ARP and detecting ARP spoofing falcifer (Apr 15)
- Re: filtering ARP and detecting ARP spoofing Mark (Apr 15)
- Re: filtering ARP and detecting ARP spoofing oudot laurent (Apr 15)
- Re: filtering ARP and detecting ARP spoofing Mark (Apr 15)