[Snort-devel] ARPSpoof plugin and more

Fabrice Devaux fab at ...1233...
Fri Apr 5 06:21:19 EST 2002

Hi list,

I'm a final year computer science student at University of Ghent in 
Belgium, doing my thesis on NIDS and Snort in particular. The faculty I'm 
writing for currently already has some network monitoring soft. (wich is 
also a thesis but from a couple of years ago). What they use now is some 
hybrid of tcpdump  + a set of tools that analyze the dumps every 15 minutes 
and every 24 hours. (I'll get to the part having to do with snort soon, 
keep on reading :) ). From the logs an ascii hisotgram of host activity and 
that sort of stuff is made (and mailed to sysadmins). Also, for every 
packet, if the source/dest ip is in the from the faculty's subnet, it is 
looked up in a database of mac - ip couples and the mac address is 
compared. Warnings are issued when a mismatch occurs. New IP's and mac 
addresses on the network (from the internal net not being in that database 
already) are also reported.

Now the interesting part, they came to me and asked : "can you make snort 
do this stuff"

So the first thing I looked into was off course the ARPspoof preprocessor 
included with snort.
So basicly what I would like my preproc. to do is :

- Look at all packets and not only arp traffic
- Report changes in mac - ip couples
- Report unseen mac / ip addresses

Now what I would like to know is :

- What do you think of it ?
- Has anyone tried something like this before or is anyone working on such 
a thing ?
- ...

I looked at the source of ARPSpoof and I think I grab the basics of writing 
a snort preproc. For that matter I would like to ask sonething about this 
code. (I contacted Jeff Nathan about my plans but haven't got an answer 
(yet), I didn't mention this because I didn't look at it at that time but I 
gues he's reading this too anyway)

In the function ARPspoofPreprocFunction(Packet *p), assuming arpspoof was 
invoked with the unicast argument in the config file; in case of an ARP 
request the function first checks if the ether_dest isn't broadcast but 
then I doesn't check for "Ethernet source/ARP sender address mismatch". 
(because of the "else if" instead of just "if") So "Ethernet source/ARP 
sender address mismatch" is only checked when the unicast argument is not 
used ... ? why is this ?

Sorry if this question (or also all the rest) is stupid, I'm pretty new at 

Anyway thanks for reading till here if you did :)

Fabrice Devaux

More information about the Snort-devel mailing list