Snort mailing list archives
Re: ARPSpoof!
From: Jeff Nathan <jeff () snort org>
Date: Tue, 17 Feb 2004 20:23:04 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew,I am very busy with my day job and have limited time to work on Snort related projects for the next few weeks.
In order for me to address your question, I need *MUCH* more information.
How are you generating ARP frames to test arpspoof?Are you adding entries to the snort.conf file where the hardware address slightly differs from the correct hardware address?
Are you using a piece of software to generate ARP frames?Can you send me a tcpdump formatted capture file from the machine running snort? Please do something like this to save the file: tcpdump - -s 100 -w arp.out arp
I cannot help you without knowing more. For example, from the information you have provided I cannot determine whether or not ARP frames are being generated which would match the in-memory configuration of spp_arpspoof. Also, I cannot confirm that the system running snort can see these ARP frames, which might occur due to your network topology.
I will do my best to answer your question once I have more information. Thank you for understanding that I'm a volunteer. - -Jeff On Feb 17, 2004, at 8:01 PM, Andrew Steven wrote:
Hi,How are you? Hope you would have seen my mail to the mailing list regarding the ARP cache overwrite attacks. I will tell you how i performed my test on snort. Disabled all other preprocessors except the following in snort.conf.preprocessor arpspoof preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03Enabled the tcpdump logging for snort and simultaneously made the ethereal also to sniff. In ethereal i could see the step by step packets like ARP request, ARP reply and so on... But in snort's tcpdump, i didnt see any ARP request or ARP reply but instead an ICMP packet where both the source IP and destination IP's MAC address are resolved. What happened to the ARP packets. Dropped?One more criteria, preprocessor arpspoof preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5EHavinag only one configuration is fine. Snort's TCPDump has the ARP packets and there by raising the ARP cache overwrite attacks.These are my findings. Awaiting for your reply. Regards, Andrew. _________________________________________________________________Keep track of Singapore & Malaysia stock prices. http://www.msn.com.sg/money/
- -- Custom packets with little to no money down. http://nemesis.sourceforge.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAMr57Eqr8+Gkj0/0RAusIAKDBNeYxP3LuIoKI4zP8KoV8041xfgCcCFn+ vQmWuhTiiAKRv0hLce7/sLk= =QZu7 -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: ARPSpoof! Jeff Nathan (Feb 17)
- <Possible follow-ups>
- Re: ARPSpoof! Jeff Nathan (Feb 17)