[Snort-sigs] ARP scan

Landon Lewis landon.lewis at ...1929...
Mon Oct 6 06:55:19 EDT 2003


Source                Destination
00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

Seems like a arp broadcast (scanning the entire subnet), but you have you 
have the source, so...



On Mon, 6 Oct 2003 08:30:43 -0500, Martin Jr., D. Michael 
<martinm at ...1927...> wrote:

> I am new to snort but think it can probably due what we need.  Recently
> we have been plagued by an on-slought of computer viruses on our
> residence hall computer network (I am the Network Admin for a
> University).  In any event, I have been using Ethereal to sniff our
> network and all of the infected computers seem to have one common
> denominator... They perform an ARP scan to identify other potential
> clients to infect and thus perform a Denial of Service attack on the
> campus as a result.  The sniffed traffic looks similar to this:
> No. Time        Source                Destination           Protocol
> Info
> 1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.18?  Tell 192.168.103.75
> 2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.19?  Tell 192.168.103.75
> 3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.20?  Tell 192.168.103.75
> 4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.21?  Tell 192.168.103.75
> 5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.22?  Tell 192.168.103.75
> 6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.23?  Tell 192.168.103.75
> 7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.24?  Tell 192.168.103.75
> 8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
> Who has 192.168.143.25?  Tell 192.168.103.75
> Any suggestions on the best way to get snort to detect and report this
> type of traffic???
> All I need is the hardware address of the culprit.  From there I can go
> to our DHCP server and ascertain the IP and any owner information.
> Thanks,
> Michael Martin
> University of Montevallo
>







More information about the Snort-sigs mailing list