[Snort-sigs] ARP scan

Mark Nipper nipsy at ...1371...
Mon Oct 6 07:13:17 EDT 2003

On 06 Oct 2003, Martin Jr., D. Michael wrote:
>       No. Time        Source                Destination
>    Protocol Info
>          1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell
>          8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff
>    ARP      Who has  Tell

	I work at a University too!  :)  I just implemented an
OpenBSD box in one of our resident halls (we have 41 total, but
this is just the first step hopefully to total deployment!) which
passively detects infected hosts and then I have a shell script
which runs every few seconds to update the pf firewall and
redirect port 80 traffic on those machines to a thttpd server
running on the firewall box itself.  It's worked really well so
far, but all of this was just a gratuitous plug.  :)

	More importantly, the ARP's you're seeing (unless I'm
sorely mistaken) are a result of Nachi/Welchia infected hosts
trying to ping entire IP subnets (note the incrementing
destination IP address which is indicative of Nachi).  The ARP
requests themselves are a natural side effect of this behavior.
I believe this rule (already seen before) will also detect these
hosts successfully:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "Possible NACHI Infection"; content: "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1; )

	Anyway, if anyone else has any interest in the previously
mentioned containment box, let me know!  :)

Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy at ...1371...
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy at ...1371...

GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)

---begin random quote of the moment---
"I was in the pub last night, and a guy asked me for a light for
his cigarette.  I suddenly realized that there was a demand here
and money to be made, and so I agreed to light his cigarette for
10 pence, but I didn't actually give him a light.  I sold him a
license to burn his cigarette.  My fire-license restricted him
from giving the light to anybody else, after all, that fire was
my property.  He was drunk, and dismissing me as a loony,
accepted my fire (and by implication the licence which governed
its use) anyway.  Of course in a matter of minutes I noticed a
friend of his asking him for a light and to my outrage he gave
his cigarette to his friend and pirated my fire!  I was furious,
I started to make my way over to that side of the bar but to my
added horror his friend then started to light other people's
cigarettes left, right, and center!  Before long that whole side
of the bar was enjoying MY fire without paying me anything.
Enraged I went from person to person grabbing their cigarettes
from their hands, throwing them to the ground, and stamping on
them.  Strangely, the door staff exhibited no respect for my
property rights as they threw me out the door."

 -- Ian Clarke, Freenet Project (http://freenetproject.org)
----end random quote of the moment----

More information about the Snort-sigs mailing list