[Snort-sigs] ARP scan

Martin Jr., D. Michael martinm at ...1927...
Mon Oct 6 06:32:02 EDT 2003


I am new to snort but think it can probably due what we need.  Recently
we have been plagued by an on-slought of computer viruses on our
residence hall computer network (I am the Network Admin for a
University).  In any event, I have been using Ethereal to sniff our
network and all of the infected computers seem to have one common
denominator... They perform an ARP scan to identify other potential
clients to infect and thus perform a Denial of Service attack on the
campus as a result.  The sniffed traffic looks similar to this:
 
   No. Time        Source                Destination           Protocol
Info
      1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.18?  Tell 192.168.103.75
      2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.19?  Tell 192.168.103.75
      3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.20?  Tell 192.168.103.75
      4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.21?  Tell 192.168.103.75
      5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.22?  Tell 192.168.103.75
      6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.23?  Tell 192.168.103.75
      7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.24?  Tell 192.168.103.75
      8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
Who has 192.168.143.25?  Tell 192.168.103.75
 
Any suggestions on the best way to get snort to detect and report this
type of traffic???
 
All I need is the hardware address of the culprit.  From there I can go
to our DHCP server and ascertain the IP and any owner information.
 
Thanks,
 
Michael Martin
University of Montevallo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031006/45276632/attachment.html>


More information about the Snort-sigs mailing list