[Snort-devel] New Feature based on MAC address filterig (Poss ible !!!!!)

Atul Shrivastava atul_iet at ...398...
Wed Jun 18 08:10:19 EDT 2003


Yes, that is the real scenario ....

When one attacher tries to attach from internet then
attack signatures are there to detect it because if he
wants to do file copyig then the firewall will stop
him, so no fear of that guy,,, but let think that if
someone enters into or network physically (LAN) and
puts a valid IP and then transfer a file which is not
a attach then it is also a security breach and it is
also called an intrusion in terms on managers.

Also when people are trying to get from some other wan
network their MAC address has been changed by our
network WAN gateway that anyway we can authenticate
that he is a valid person and if that traffic enters
in the network then it will not generate alerts due to
MAC filtering because that traffic has the valid MAC
and this MAC is of out GATEWAY WAN interface that we
can give in the MAC table.

So I think that new MAC in the network is really a big
threat because now the network is anyway going to be
mobile as you are saying because of wireless networks
and due to most of the employees purchasing

This will really help the intrusion from the internal


Atul Shrivastava

--- Robert Wagner <rwagner at ...1225...> wrote:
> Yes, arpwatch and snort can coexist (or at least
> have on all of the versions
> I have used) on the same interface.  I am not sure
> how your LAN is setup,
> but in order to perform a MAC attack - they will
> need access to the LAN
> segment (once a router is installed, the MAC
> addresses are stripped at the
> router).  Another thought is gaining access to a
> broadcast port to sniff
> Windows ids and passwords - then break in to a
> existing machine (or forcing
> a switch into broadcast mode).  While neither of
> these is difficult, they
> require physical a presence.  
> It is far easier, less risky, and more likely to
> trick someone into
> installing a trojan and working remotely.
> If you are working on a Wireless LAN, I believe it
> is currently a same
> assumption that nothing is secure and it is a
> hostile environment.  If you
> treat it as such, then your security shouldn't care
> about the MACs.
> Perhaps you could provide a little more information,
> I believe there are
> enough security conscious people on this list to
> give you some excellent
> designs.
> -----Original Message-----
> From: Atul Shrivastava [mailto:atul_iet at ...398...]
> Sent: Wednesday, June 18, 2003 1:19 AM
> To: Frank Knobbe; Keith R Kilby
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] New Feature based on MAC
> address filterig
> (Possible !!!!!)
> Well .....
> First of all, MAC spoofing should be taken care of
> IDS only because it comes
> under the work profile of IDS. So we have to use too
> many tools for making a
> perfect IDS ...............
> OK, If anybody uses Arpwatch then can Arpwatch be
> installed on the same
> machine as of Snort sensor machine and can be run on
> the same interface as
> of the sensor is collecting data.
> Because the traffic is coming on the sensor arm and
> there will be no
> question regarding Broadcast domain because when IDS
> is placed in a network
> then placing will be done is such a way that all the
> traffic will pass
> through this sensor and also if switch is there then
> it is used using port
> mirroring to make all the traffic available to the
> sensor.
> In my setup the snort sensor and management console
> is running on the same
> machine. The management uses eth0 and sensor is
> running in promiscus mode on
> eth1. So my question is that can i run the Arpwatch
> on the eth1 interface so
> that whatever the Snort is scanning, ARPWATCH can
> also be able to get all
> this traffic. Now my doubt is that if i run arpwatch
> on the same interface
> as of snort sensor then which application is able to
> get the traffic
> first....??????
> Regards and have a nice day,
> Atul Shrivastava
> Frank Knobbe <fknobbe at ...337...> wrote:
> On Tue, 2003-06-17 at 04:06, Keith R Kilby wrote:
> > Sorry, but I would have disagree, in my experience
> anybody attaching to 
> > the network and stealing a
> > valid IP from your network would only be
> detectable by checking the MAC 
> > address. So it must be
> > function of the Intrusion Detection System to
> report such occurrences.
> You are allowed to disagree :) Yes, it is a somewhat
> useful function
> ("somewhat" because someone could fake an existing
> MAC address. This is
> often done on wireless networks to evade MAC
> filtering). Something
> should be watching arps, but it is my opinion that
> it doesn't need to be
> Snort. As mentioned earlier, software for that
> (arpwatch) already
> exists.
> > Not strictly true? I believe that any MAC address
> would be detectable if 
> > it is on the same segement
> > of the LAN as the IDS sensor, broadcasts and
> domain have litte to do at 
> > that levels of the protocol stack.
> With "broadcast domain" I was referring to the
> network segment. Due to
> high proliferation of switches, it has become
> uncommon to have
> "collision domains". Those terms should be as
> familiar as the 5-4-3 rule
> for Ethernet. 
> Regards,
> Frank
> > ATTACHMENT part 2 application/pgp-signature
> name=signature.asc 
>   _____  
> Do you Yahoo!?
> bc/> Yahoo! DSL - Now only $29.95 per month!


Regards and have a nice day,

                           Atul Shrivastava

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!

More information about the Snort-devel mailing list