Re: arp spoof

[Jeff Nathan <jeff () snort org>]

john wrote:
> hi everybody
>  i am new in using snort , when i read the arpspoof preprocessor i cant
understand its role from those brief words in the snort.conf file is
here
another way to learn more about it and the other preprocessors other
than
snort manual
> any help is appreciated.........

(Thanks for replying first Mr. Sage!)

Essentially, spp_arpspoof has 4 detection mechanisms.

(The following two methods address the use of 'preprocessor arpspoof' in
snort.conf)

First: If an ARP request is observed, the source hardware address in the
Ethernet frame is compared to the sender Ethernet address in the ARP
packet.  If there is a mismatch an alert is generated.

Second: If an ARP reply is observed, the source hardware address in the
Ethernet frame is compared to the sender Ethernet address in the ARP
paclet.  Also, the destination hardware address in the Ethernet frame is
compared to the target Ethernet address within the ARP packet.  If there
is a mismatch in either of the two pairs of fields compared, an alert is
generated.

(The following method addresses the use of 'preprocessor arpspoof:
-unicast' in snort.conf)

Third: If an ARP request is observed where the destination Ethernet
address in the Ethernet header is not the broadcast address
(FF:FF:FF:FF:FF:FF), an alert is generated.

(The following method addresses the use of 'arpspoof_detect_host:
192.168.40.1 f0:0f:00:f0:0f:00' in snort.conf)

Fourth: A list of IP address/MAC address pairs is created in memory.  

If the sender IP address within the ARP frame matches an entry in
snort's list, the MAC address in snort's list is compared to fields
within the Ethernet header and ARP request packet.  If either the source
Ethernet address within the Ethernet header OR the sender Ethernet
address within the ARP packet does not match the entry in snort's list,
an alert is generated.  This test is performed on both ARP requests and
replies.

Chapter 4 of TCP/IP Illustrated volume 1 is very helpful when learning
about ARP.

I hope this addresses your questions.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users