Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] ARP scan

From: "jon baer" <security () jonbaer net>
Date: Mon, 6 Oct 2003 10:30:57 -0400
Messagewhile there are many tools which can acomplish this type of activity, ettercap is the most common:

http://ettercap.sourceforge.net

here is an archive of jeff's analysis of how the arp preprocessor works (not sure if it's outdated):

http://www.geocrawler.com/archives/3/4890/2002/6/0/9056309/

- jon
  ----- Original Message ----- 
  From: Martin Jr., D. Michael 
  To: snort-sigs () lists sourceforge net 
  Sent: Monday, October 06, 2003 9:30 AM
  Subject: [Snort-sigs] ARP scan


  I am new to snort but think it can probably due what we need.  Recently we have been plagued by an on-slought of 
computer viruses on our residence hall computer network (I am the Network Admin for a University).  In any event, I 
have been using Ethereal to sniff our network and all of the infected computers seem to have one common denominator... 
They perform an ARP scan to identify other potential clients to infect and thus perform a Denial of Service attack on 
the campus as a result.  The sniffed traffic looks similar to this:

     No. Time        Source                Destination           Protocol Info
        1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.18?  Tell 192.168.103.75
        2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.19?  Tell 192.168.103.75
        3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.20?  Tell 192.168.103.75
        4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.21?  Tell 192.168.103.75
        5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.22?  Tell 192.168.103.75
        6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.23?  Tell 192.168.103.75
        7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.24?  Tell 192.168.103.75
        8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP      Who has 192.168.143.25?  Tell 192.168.103.75
   
  Any suggestions on the best way to get snort to detect and report this type of traffic???

  All I need is the hardware address of the culprit.  From there I can go to our DHCP server and ascertain the IP and 
any owner information.

  Thanks,

  Michael Martin
  University of Montevallo
Previous By Date Next
Previous By Thread Next

Current thread: