[Snort-sigs] ARP scan
Martin Jr., D. Michael
martinm at ...1927...
Mon Oct 6 07:54:19 EDT 2003
The IP range and subnet mask is:
192.168.XXX.XXX, Mask: 255.255.0.0
This people are probably infected with the Nachi virus. In any event, I need to know who is sending out this info.
From: Jeff Nathan [mailto:jeff at ...95...]
Sent: Monday, October 06, 2003 9:49 AM
To: Martin Jr., D. Michael
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] ARP scan
-----BEGIN PGP SIGNED MESSAGE-----
What is the subnet mask of the network in question?
This looks like a regular old portscan where the destination hosts are
on the same broadcast domain as the sender. Therefore, rather than
routing the scan traffic the scanner must ARP for destination addresses
before being able to deliver data to them.
On Monday, October 6, 2003, at 09:30 AM, Martin Jr., D. Michael wrote:
> I am new to snort but think it can probably due what we need.
> Recently we have been plagued by an on-slought of computer viruses on
> our residence hall computer network (I am the Network Admin for a
> University). In any event, I have been using Ethereal to sniff our
> network and all of the infected computers seem to have one common
> denominator... They perform an ARP scan to identify other potential
> clients to infect and thus perform a Denial of Service attack on the
> campus as a result. The sniffed traffic looks similar to this:
> No. Time Source Destination
> Protocol Info
> 1 0.000000 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.18? Tell 192.168.103.75
> 2 0.013977 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.19? Tell 192.168.103.75
> 3 0.018469 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.20? Tell 192.168.103.75
> 4 0.034004 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.21? Tell 192.168.103.75
> 5 0.049736 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.22? Tell 192.168.103.75
> 6 0.065195 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.23? Tell 192.168.103.75
> 7 0.081136 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.24? Tell 192.168.103.75
> 8 0.096509 00:08:a1:15:cd:d7 ff:ff:ff:ff:ff:ff
> ARP Who has 192.168.143.25? Tell 192.168.103.75
> Any suggestions on the best way to get snort to detect and report this
> type of traffic???
> All I need is the hardware address of the culprit. From there I can
> go to our DHCP server and ascertain the IP and any owner information.
> Michael Martin
> University of Montevallo
Top security experts. Cutting edge tools, techniques and information.
Tokyo, Japan November, 2003 http://www.pacsec.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-sigs