[Snort-sigs] ARP scan

Jeff Nathan jeff at ...95...
Mon Oct 6 07:50:05 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is the subnet mask of the network in question?

This looks like a regular old portscan where the destination hosts are 
on the same broadcast domain as the sender.  Therefore, rather than 
routing the scan traffic the scanner must ARP for destination addresses 
before being able to deliver data to them.

- -Jeff

On Monday, October 6, 2003, at 09:30 AM, Martin Jr., D. Michael wrote:

> I am new to snort but think it can probably due what we need.  
> Recently we have been plagued by an on-slought of computer viruses on 
> our residence hall computer network (I am the Network Admin for a 
> University).  In any event, I have been using Ethereal to sniff our 
> network and all of the infected computers seem to have one common 
> denominator... They perform an ARP scan to identify other potential 
> clients to infect and thus perform a Denial of Service attack on the 
> campus as a result.  The sniffed traffic looks similar to this:
>  
>    No. Time        Source                Destination           
> Protocol Info
>       1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.18?  Tell 192.168.103.75
>       2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.19?  Tell 192.168.103.75
>       3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.20?  Tell 192.168.103.75
>       4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.21?  Tell 192.168.103.75
>       5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.22?  Tell 192.168.103.75
>       6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.23?  Tell 192.168.103.75
>       7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.24?  Tell 192.168.103.75
>       8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     
> ARP      Who has 192.168.143.25?  Tell 192.168.103.75
>  
> Any suggestions on the best way to get snort to detect and report this 
> type of traffic???
>  
> All I need is the hardware address of the culprit.  From there I can 
> go to our DHCP server and ascertain the IP and any owner information.
>  
> Thanks,
>  
> Michael Martin
> University of Montevallo
>

- --
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/gYDpEqr8+Gkj0/0RAtPLAJ4s1GkroOf2SSdk+OGQXBD7QQ7apQCfaU/4
8kZNRye/DbR3CnDgv8B3Bpk=
=NNfx
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list