[Snort-devel] New Feature based on MAC address filterig (Poss ible !!!!!)

Rich Adamson radamson at ...442...
Wed Jun 18 07:01:02 EDT 2003

> Yes, arpwatch and snort can coexist (or at least have on all of the versions 
> I have used) on the same interface.  I am not sure how your LAN is setup,
> but in order to perform a MAC attack - they will need access to the LAN 
> segment (once a router is installed, the MAC addresses are stripped at the
> router).  Another thought is gaining access to a broadcast port to sniff
> Windows ids and passwords - then break in to a existing machine (or forcing
> a switch into broadcast mode).  While neither of these is difficult, they
> require physical a presence. 

If your Windows systems are passing userid's and passwords via broadcast
packets, best go fix those systems. (Those are actually passed in directed
sessions, making it near impossible to sniff the required data without access
to switch-based port mirroring functions, a hub, etc.)

More information about the Snort-devel mailing list