[Snort-devel] Weird snort output - probably arpspoof output

Jeff Nathan jeff at ...271...
Mon Jul 16 19:41:34 EDT 2001


oops..

well thanks for catching that.

I've attached a diff to spp_arpspoof.c from CVS.

We do a lookup of the sender's hardware address from the ARP packet
itself but then later compare it to the Ethernet header's source
hardware address.   The proper implementation would be to compare only
the ARP packet's sender hardware address to our linked list, but just to
be safe, we're going to do both.  There's not telling with vendor
implementations.

-Jeff

Fyodor wrote:
> 
> On Thu, Jul 12, 2001 at 10:43:47AM -0500, Bill Marquette wrote:
> >
> >
> > Alright...looks like I may have found a possible cause for the wierd log
> > messages.  I'm guessing the code was just never filled in (yeah, I know it's
> > experimental, and yes I know that it was proof of concept :)).  Anyways, from
> > ARPspoofPreprocFunction(), we init logMessage but never seem to actually fill it
> > before it's used.
> >     char logMessage[180];
> > .
> > .
> > .
> >         switch(ntohs(p->ah->ea_hdr.ar_op))
> >         {
> >             case ARPOP_REQUEST:
> >                 if (check_directed_arp)
> >                                 {
> >                     if (memcmp((u_char *)p->eh->ether_dst, (u_char *)bcast, 6)
> > != 0)
> >                     {
> 
> Yep, good spot, I am removing (commenting out) logMessage all toghether
> now :)
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
-------------- next part --------------
--- spp_arpspoof.c.orig	Thu Jul 12 09:29:11 2001
+++ spp_arpspoof.c	Mon Jul 16 16:35:09 2001
@@ -175,10 +175,10 @@
     if (!args) return;
     toks = mSplit(args, " ", 2, &num_toks, '\\');
 
-        if(num_toks > 1)
-        {      
-            FatalError(MODNAME ": ERROR: %s (%d) => ARPspoof configuration format: seconds \n", file_name, file_line);
-        } 
+    if(num_toks > 1)
+    {      
+        FatalError(MODNAME ": ERROR: %s (%d) => ARPspoof configuration format: seconds \n", file_name, file_line);
+    } 
 
     for(num = 0; num < num_toks; num++)
     {
@@ -195,7 +195,7 @@
     Event event;
  /*   char logMessage[180];  */
     IPMacEntry *ipme;
-	u_int8_t addr[4];
+    u_int8_t addr[4];
 
     if(p && (p->eh != NULL && p->ah != NULL))
     {
@@ -210,23 +210,23 @@
         {
             case ARPOP_REQUEST:
                 if (check_directed_arp) 
-				{
+                {
                     if (memcmp((u_char *)p->eh->ether_dst, (u_char *)bcast, 6) != 0)
                     {
                         SetEvent(&event, GENERATOR_SPP_ARPSPOOF, ARPSPOOF_DIRECTED_ARP_REQUEST, 1, 0, 0, 0);
                         CallAlertFuncs(NULL ,"directed ARP request" , NULL, &event);
-			#ifdef DEBUG
+                        #ifdef DEBUG
                         fprintf(stderr, "directed ARP request\n");
-			#endif
+                        #endif
                     } 
                 }
                 else if (memcmp((u_char *)p->eh->ether_src, (u_char *)p->ah->arp_sha, 6) != 0) 
                 {
                     SetEvent(&event, GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, 1, 0, 0, 0);
                     CallAlertFuncs(p, "Ethernet source/ARP sender address mismatch", NULL, &event);
-		    #ifdef DEBUG
+                    #ifdef DEBUG
                     fprintf(stderr, "Ethernet/ARP mismatch request\n");
-		    #endif
+                    #endif
                 }   
                 break;
             case ARPOP_REPLY:
@@ -234,42 +234,42 @@
                 {
                     SetEvent(&event, GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC, 1, 0, 0, 0);
                     CallAlertFuncs(p, "Ethernet source/ARP sender address mismatch", NULL, &event);
-		    #ifdef DEBUG
+                    #ifdef DEBUG
                     fprintf(stderr, "Ethernet/ARP mismatch reply 1\n");
-		    #endif
+                    #endif
                 } 
                 else if (memcmp((u_char *)p->eh->ether_dst, (u_char *)p->ah->arp_tha, 6) != 0)
                 {
                     SetEvent(&event, GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST, 1, 0, 0, 0);
                     CallAlertFuncs(p, "Ethernet destination/ARP target address mismatch", NULL, &event);
-		    #ifdef DEBUG
+                    #ifdef DEBUG
                     fprintf(stderr, "Ethernet/ARP mismatch reply 2\n");
-		    #endif
+                    #endif
                 } 
                 break;
         }
-		/* LookupIPMacEntryByIP() is too slow, will be fixed later */
+        /* LookupIPMacEntryByIP() is too slow, will be fixed later */
         bcopy((void *)&p->ah->arp_spa, (void *)addr, sizeof(u_int8_t) * 4);
         if ((ipme = LookupIPMacEntryByIP(ipmel, *addr)) == NULL)
-	    {
-		#ifdef DEBUG
-	        fprintf(stderr, "ipme was NULL\n");
-                #endif
+        {
+            #ifdef DEBUG
+            fprintf(stderr, "ipme was NULL\n");
+            #endif
             return;
         }
         else
         {
-	    #ifdef DEBUG
+            #ifdef DEBUG
             fprintf(stderr, "ipme not NULL\n");
-	    #endif
-            if (memcmp((u_char *)p->eh->ether_src, (u_char *)ipme->mac_addr, 6) != 0)
+            #endif
+            if ((memcmp((u_char *)p->eh->ether_src, (u_char *)ipme->mac_addr, 6) != 0) ||  (memcmp((u_char *)p->ah->arp_spa, (u_char *)ipme->mac_addr, 6)))
             {
 
                 SetEvent(&event, GENERATOR_SPP_ARPSPOOF, ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK, 1, 0, 0, 0);
                 CallAlertFuncs(p, "Attempted ARP cache overwrite attack", NULL, &event);
-		#ifdef DEBUG
+                #ifdef DEBUG
                 fprintf(stderr, "Attempted ARP cache overwrite attack\n");
-		#endif
+                #endif
             }
        } 
     }
@@ -354,10 +354,10 @@
 
     if (num_toks != 2)
     {
-       fprintf(stderr, "arpwatch: ERROR: invalid arguments, continuing\n");
-       for(i=0;i<num_toks;i++)
-	   free(toks[i]);
-       return;
+        fprintf(stderr, "arpwatch: ERROR: invalid arguments, continuing\n");
+        for(i=0;i<num_toks;i++)
+            free(toks[i]);
+        return;
     }
 
     /* Add entries */
@@ -369,9 +369,9 @@
     if ((IP_struct.s_addr = inet_addr(toks[0])) == -1)
     {
         fprintf(stderr, "arpwatch: ERROR: non IP as first argument of IP/MAC pair\n");
-       for(i=0;i<num_toks;i++)
-	   free(toks[i]);
-	return;
+        for(i=0;i<num_toks;i++)
+            free(toks[i]);
+        return;
     }
 
     ipme->ipv4_addr = (u_int32_t)IP_struct.s_addr;


More information about the Snort-devel mailing list