[Snort-devel] New Feature based on MAC address filterig (Poss ible !!!!!)

Robert Wagner rwagner at ...1225...
Wed Jun 18 06:32:11 EDT 2003


Yes, arpwatch and snort can coexist (or at least have on all of the versions
I have used) on the same interface.  I am not sure how your LAN is setup,
but in order to perform a MAC attack - they will need access to the LAN
segment (once a router is installed, the MAC addresses are stripped at the
router).  Another thought is gaining access to a broadcast port to sniff
Windows ids and passwords - then break in to a existing machine (or forcing
a switch into broadcast mode).  While neither of these is difficult, they
require physical a presence.  
It is far easier, less risky, and more likely to trick someone into
installing a trojan and working remotely.
 
If you are working on a Wireless LAN, I believe it is currently a same
assumption that nothing is secure and it is a hostile environment.  If you
treat it as such, then your security shouldn't care about the MACs.
 
Perhaps you could provide a little more information, I believe there are
enough security conscious people on this list to give you some excellent
designs.

-----Original Message-----
From: Atul Shrivastava [mailto:atul_iet at ...398...]
Sent: Wednesday, June 18, 2003 1:19 AM
To: Frank Knobbe; Keith R Kilby
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] New Feature based on MAC address filterig
(Possible !!!!!)


Well .....
 
First of all, MAC spoofing should be taken care of IDS only because it comes
under the work profile of IDS. So we have to use too many tools for making a
perfect IDS ...............
 
OK, If anybody uses Arpwatch then can Arpwatch be installed on the same
machine as of Snort sensor machine and can be run on the same interface as
of the sensor is collecting data.
Because the traffic is coming on the sensor arm and there will be no
question regarding Broadcast domain because when IDS is placed in a network
then placing will be done is such a way that all the traffic will pass
through this sensor and also if switch is there then it is used using port
mirroring to make all the traffic available to the sensor.
 
In my setup the snort sensor and management console is running on the same
machine. The management uses eth0 and sensor is running in promiscus mode on
eth1. So my question is that can i run the Arpwatch on the eth1 interface so
that whatever the Snort is scanning, ARPWATCH can also be able to get all
this traffic. Now my doubt is that if i run arpwatch on the same interface
as of snort sensor then which application is able to get the traffic
first....??????
 
Regards and have a nice day,
 
Atul Shrivastava


Frank Knobbe <fknobbe at ...337...> wrote:

On Tue, 2003-06-17 at 04:06, Keith R Kilby wrote:
> Sorry, but I would have disagree, in my experience anybody attaching to 
> the network and stealing a
> valid IP from your network would only be detectable by checking the MAC 
> address. So it must be
> function of the Intrusion Detection System to report such occurrences.

You are allowed to disagree :) Yes, it is a somewhat useful function
("somewhat" because someone could fake an existing MAC address. This is
often done on wireless networks to evade MAC filtering). Something
should be watching arps, but it is my opinion that it doesn't need to be
Snort. As mentioned earlier, software for that (arpwatch) already
exists.

> Not strictly true? I believe that any MAC address would be detectable if 
> it is on the same segement
> of the LAN as the IDS sensor, broadcasts and domain have litte to do at 
> that levels of the protocol stack.

With "broadcast domain" I was referring to the network segment. Due to
high proliferation of switches, it has become uncommon to have
"collision domains". Those terms should be as familiar as the 5-4-3 rule
for Ethernet. 



Regards,
Frank


> ATTACHMENT part 2 application/pgp-signature name=signature.asc 



  _____  

Do you Yahoo!?
SBC
<http://pa.yahoo.com/*http://rd.yahoo.com/evt=1207/*http://promo.yahoo.com/s
bc/> Yahoo! DSL - Now only $29.95 per month!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030618/8e7f73ce/attachment.html>


More information about the Snort-devel mailing list