Snort mailing list archives
Re: Tcp session hijacking
From: Meysam Farazmand <farazmand.meisam () gmail com>
Date: Tue, 19 Aug 2014 22:34:02 +0430
Hi Waldo, My testing network consists of four pc and an unmanaged switch and i don't have any router. As i said before, i poisioned all of pc and switch arp tables with "ettercap".so, when bening pc make a tcp connection to snort pc and we poision its arp tables, the source mac address changes to mac address of attacker and i expect, snort detect this changing. On Aug 19, 2014 10:23 PM, "waldo kitty" <wkitty42 () windstream net> wrote:
top posting "corrected" to inline for readability... see my reply below... On 8/19/2014 1:00 PM, Meysam Farazmand wrote:On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:Wouldn’t your MAC addresses just be those of your routers anyway?Anynon-trivial network (ie. Enterprise) probably won’t get muchbenefit fromSnort trying to detect this. You’re better off using the anti-macspoofingfeatures of your switches, IMO.____Hi Jefferson, When we do a man in the middle attack, all of devices arp tables updateswithmac address of attacker. So this changes in mac address should be detectassession hijacking with stream5 preprocessor. Because stream5 check_session_hijacking option rely on changes in mac address of a tcpconnection. i think that what jefferson is attempting to point out is that MAC addresses are only good on the current link... in other words, this chart shows 3 MAC address changes in the flow of traffic from A to B... A -> router1 -> router2 -> B and this one shows 5 changes... A -> router1 -> router2 -> router3 -> router4 -> B the source MAC and destination MAC inside the packet will change at each "->"... IIRC, this is the same for hubs and switches, too... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Tcp session hijacking, (continued)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
- Re: Tcp session hijacking Jefferson, Shawn (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)
- Re: Tcp session hijacking waldo kitty (Aug 19)
- Re: Tcp session hijacking Meysam Farazmand (Aug 19)