[Snort-devel] ARPSpoof plugin and more
rwagner at ...1225...
Fri Apr 5 07:40:29 EST 2002
There is a product already built into many versions - ARPWATCH. Combine
this with Psionic's LogSentry. The only thing that gets annoying is when
using it with DHCP where workstations all startup (when lease has expired)
with 0.0.0.0 as the IP address, then get allocated one. You can filter out
these alerts with LogSentry.
From: Fabrice Devaux [mailto:fab at ...1233...]
Sent: Friday, April 05, 2002 8:26 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] ARPSpoof plugin and more
I'm a final year computer science student at University of Ghent in
Belgium, doing my thesis on NIDS and Snort in particular. The faculty I'm
writing for currently already has some network monitoring soft. (wich is
also a thesis but from a couple of years ago). What they use now is some
hybrid of tcpdump + a set of tools that analyze the dumps every 15 minutes
and every 24 hours. (I'll get to the part having to do with snort soon,
keep on reading :) ). From the logs an ascii hisotgram of host activity and
that sort of stuff is made (and mailed to sysadmins). Also, for every
packet, if the source/dest ip is in the from the faculty's subnet, it is
looked up in a database of mac - ip couples and the mac address is
compared. Warnings are issued when a mismatch occurs. New IP's and mac
addresses on the network (from the internal net not being in that database
already) are also reported.
Now the interesting part, they came to me and asked : "can you make snort
do this stuff"
So the first thing I looked into was off course the ARPspoof preprocessor
included with snort.
So basicly what I would like my preproc. to do is :
- Look at all packets and not only arp traffic
- Report changes in mac - ip couples
- Report unseen mac / ip addresses
Now what I would like to know is :
- What do you think of it ?
- Has anyone tried something like this before or is anyone working on such
a thing ?
I looked at the source of ARPSpoof and I think I grab the basics of writing
a snort preproc. For that matter I would like to ask sonething about this
code. (I contacted Jeff Nathan about my plans but haven't got an answer
(yet), I didn't mention this because I didn't look at it at that time but I
gues he's reading this too anyway)
In the function ARPspoofPreprocFunction(Packet *p), assuming arpspoof was
invoked with the unicast argument in the config file; in case of an ARP
request the function first checks if the ether_dest isn't broadcast but
then I doesn't check for "Ethernet source/ARP sender address mismatch".
(because of the "else if" instead of just "if") So "Ethernet source/ARP
sender address mismatch" is only checked when the unicast argument is not
used ... ? why is this ?
Sorry if this question (or also all the rest) is stupid, I'm pretty new at
Anyway thanks for reading till here if you did :)
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
More information about the Snort-devel