[Snort-devel] Man in the middle attacks

Jeff Nathan jeff at ...835...
Mon Nov 19 12:55:02 EST 2001


"Dominick, David" wrote:
> 
> Has anybody found an efficient way of detecting man in the middle attacks
> that utilize flaws in ARP caching/ One attack in particular, Etercap,
> poisons the arp cache of the target machine. I know that sniffing for arp
> warnings would be ridiculous, so does anybody have any suggestions?
> 
> Thank you,
> David Dominick
> Enterprise Security Engineering
> 404-202-2848
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

Provided your snort sensor is on the same layer 2 segment as the hosts
you want to protect, you can use the arpspoof preprocessor.  

Additionally, for things that won't change you should see if your end
hosts will allow you to create static ARP entries.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-devel mailing list