[Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Atul Shrivastava atul_iet at ...398...
Tue Jun 17 23:20:28 EDT 2003

Well .....
First of all, MAC spoofing should be taken care of IDS only because it comes under the work profile of IDS. So we have to use too many tools for making a perfect IDS ...............
OK, If anybody uses Arpwatch then can Arpwatch be installed on the same machine as of Snort sensor machine and can be run on the same interface as of the sensor is collecting data.
Because the traffic is coming on the sensor arm and there will be no question regarding Broadcast domain because when IDS is placed in a network then placing will be done is such a way that all the traffic will pass through this sensor and also if switch is there then it is used using port mirroring to make all the traffic available to the sensor.
In my setup the snort sensor and management console is running on the same machine. The management uses eth0 and sensor is running in promiscus mode on eth1. So my question is that can i run the Arpwatch on the eth1 interface so that whatever the Snort is scanning, ARPWATCH can also be able to get all this traffic. Now my doubt is that if i run arpwatch on the same interface as of snort sensor then which application is able to get the traffic first....??????
Regards and have a nice day,
Atul Shrivastava

Frank Knobbe <fknobbe at ...337...> wrote:
On Tue, 2003-06-17 at 04:06, Keith R Kilby wrote:
> Sorry, but I would have disagree, in my experience anybody attaching to 
> the network and stealing a
> valid IP from your network would only be detectable by checking the MAC 
> address. So it must be
> function of the Intrusion Detection System to report such occurrences.

You are allowed to disagree :) Yes, it is a somewhat useful function
("somewhat" because someone could fake an existing MAC address. This is
often done on wireless networks to evade MAC filtering). Something
should be watching arps, but it is my opinion that it doesn't need to be
Snort. As mentioned earlier, software for that (arpwatch) already

> Not strictly true? I believe that any MAC address would be detectable if 
> it is on the same segement
> of the LAN as the IDS sensor, broadcasts and domain have litte to do at 
> that levels of the protocol stack.

With "broadcast domain" I was referring to the network segment. Due to
high proliferation of switches, it has become uncommon to have
"collision domains". Those terms should be as familiar as the 5-4-3 rule
for Ethernet. 


> ATTACHMENT part 2 application/pgp-signature name=signature.asc 

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030617/4a32930d/attachment.html>

More information about the Snort-devel mailing list