[Snort-devel] Man in the middle attacks

Dominick, David David.Dominick at ...540...
Mon Nov 19 12:57:01 EST 2001


the static AP is not an option, but the arpspoof is. Thank you. Do you have
any information on the arpspoof preprocessor?

-----Original Message-----
From: Jeff Nathan [mailto:jeff at ...835...]
Sent: Monday, November 19, 2001 3:53 PM
To: Dominick, David
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Man in the middle attacks


"Dominick, David" wrote:
> 
> Has anybody found an efficient way of detecting man in the middle attacks
> that utilize flaws in ARP caching/ One attack in particular, Etercap,
> poisons the arp cache of the target machine. I know that sniffing for arp
> warnings would be ridiculous, so does anybody have any suggestions?
> 
> Thank you,
> David Dominick
> Enterprise Security Engineering
> 404-202-2848
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

Provided your snort sensor is on the same layer 2 segment as the hosts
you want to protect, you can use the arpspoof preprocessor.  

Additionally, for things that won't change you should see if your end
hosts will allow you to create static ARP entries.

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-devel mailing list