[Snort-sigs] ARP scan

Martin Jr., D. Michael martinm at ...1927...
Mon Oct 6 07:54:19 EDT 2003


The IP range and subnet mask is:

192.168.XXX.XXX, Mask: 255.255.0.0

This people are probably infected with the Nachi virus.  In any event, I need to know who is sending out this info.

Thanks

--Michael

-----Original Message-----
From: Jeff Nathan [mailto:jeff at ...95...] 
Sent: Monday, October 06, 2003 9:49 AM
To: Martin Jr., D. Michael
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] ARP scan


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is the subnet mask of the network in question?



This looks like a regular old portscan where the destination hosts are 

on the same broadcast domain as the sender.  Therefore, rather than 

routing the scan traffic the scanner must ARP for destination addresses 

before being able to deliver data to them.



- -Jeff



On Monday, October 6, 2003, at 09:30 AM, Martin Jr., D. Michael wrote:



> I am new to snort but think it can probably due what we need.

> Recently we have been plagued by an on-slought of computer viruses on

> our residence hall computer network (I am the Network Admin for a

> University).  In any event, I have been using Ethereal to sniff our

> network and all of the infected computers seem to have one common

> denominator... They perform an ARP scan to identify other potential

> clients to infect and thus perform a Denial of Service attack on the

> campus as a result.  The sniffed traffic looks similar to this:

>  

>    No. Time        Source                Destination

> Protocol Info

>       1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.18?  Tell 192.168.103.75

>       2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.19?  Tell 192.168.103.75

>       3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.20?  Tell 192.168.103.75

>       4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.21?  Tell 192.168.103.75

>       5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.22?  Tell 192.168.103.75

>       6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.23?  Tell 192.168.103.75

>       7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.24?  Tell 192.168.103.75

>       8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff

> ARP      Who has 192.168.143.25?  Tell 192.168.103.75

>  

> Any suggestions on the best way to get snort to detect and report this

> type of traffic???

>  

> All I need is the hardware address of the culprit.  From there I can

> go to our DHCP server and ascertain the IP and any owner information.

>  

> Thanks,

>  

> Michael Martin

> University of Montevallo

>



- --

Top security experts.  Cutting edge tools, techniques and information.

Tokyo, Japan   November, 2003   http://www.pacsec.jp



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/gYDpEqr8+Gkj0/0RAtPLAJ4s1GkroOf2SSdk+OGQXBD7QQ7apQCfaU/4
8kZNRye/DbR3CnDgv8B3Bpk=
=NNfx
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list