Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ARPSpoof!

From: Jeff Nathan <jeff () snort org>
Date: Tue, 17 Feb 2004 20:23:04 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,
I am very busy with my day job and have limited time to work on Snort related projects for the next few weeks.
In order for me to address your question, I need *MUCH* more information. 

How are you generating ARP frames to test arpspoof?
Are you adding entries to the snort.conf file where the hardware address slightly differs from the correct hardware address? 

Are you using a piece of software to generate ARP frames?
Can you send me a tcpdump formatted capture file from the machine running snort? Please do something like this to save the file: tcpdump - -s 100 -w arp.out arp
I cannot help you without knowing more. For example, from the information you have provided I cannot determine whether or not ARP frames are being generated which would match the in-memory configuration of spp_arpspoof. Also, I cannot confirm that the system running snort can see these ARP frames, which might occur due to your network topology. 

I will do my best to answer your question once I have more information.

Thank you for understanding that I'm a volunteer.

- -Jeff


On Feb 17, 2004, at 8:01 PM, Andrew Steven wrote:


Hi,
How are you? Hope you would have seen my mail to the mailing list regarding the ARP cache overwrite attacks. I will tell you how i performed my test on snort. Disabled all other preprocessors except the following in snort.conf. 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E
preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03
Enabled the tcpdump logging for snort and simultaneously made the ethereal also to sniff. In ethereal i could see the step by step packets like ARP request, ARP reply and so on... But in snort's tcpdump, i didnt see any ARP request or ARP reply but instead an ICMP packet where both the source IP and destination IP's MAC address are resolved. What happened to the ARP packets. Dropped? 

One more criteria,

preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E
Havinag only one configuration is fine. Snort's TCPDump has the ARP packets and there by raising the ARP cache overwrite attacks. 

These are my findings. Awaiting for your reply.
Regards,
Andrew.

_________________________________________________________________
Keep track of Singapore & Malaysia stock prices. http://www.msn.com.sg/money/ 




- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAMr57Eqr8+Gkj0/0RAusIAKDBNeYxP3LuIoKI4zP8KoV8041xfgCcCFn+
vQmWuhTiiAKRv0hLce7/sLk=
=QZu7
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: