[Snort-sigs] Unicast ARP Request: Considered Harmful?

Kevin Le Gouguec kevin.le-gouguec at ...3902...
Mon May 19 16:31:50 EDT 2014

Thanks for your input!

I guess I sounded a bit desperate and/or maybe even accusative, so just to make things clear:

a) I don't doubt for a second that the author of the ARP preprocessor had a good reason for this unicast rule;
b) I have no stakes whatsoever in whether this rule is, has been, or ever will be relevant. I'm not even a network admin.

>From the beginning this has purely been a matter of curiosity :)

(Okay I just finished this message and I think I should put a break here and warn that the following is mostly a rant. Not a mean one I swear! Well I don't know, I guess *nice* rants are oxymoronic but this one's more of an incredulous-sad-puppy rant. If that makes sense. Probably doesn't. Anyway. Please by all means skip the rest of this mail)

I mean there's probably lots of documented examples of rituals from, I don't know, ancient Mayan tribes for which we have no explanation; the evidence is there, they used to build these weird huge statues, but whatever reason they had for making those is lost on us because they never bothered documenting why they did that. And they built the last one more than a millennium ago. So there, knowledge lost.

But this is different. This rule is not even a century old, the guys who *did* have a use for it are probably still alive and can still remember the threat it answered to, even if now nobody cares because ARP polling is a thing and there are so many application layers stacked on each other where security can fail before having to dirty your hands at the link layer.

I can sort of imagine that there could be some fields in IT where someone's very highly specific code from the 80s could find its way in a popular Open Source project and no one has a clue as to what it was supposed to do. Network Intrusion Detection though? I can understand terse documentation, but I wrote this question mostly thinking I was a n00b without imagination or in need of enlightenment (I would totally have accepted "RTFM" as a means to enlightenment too, provided said Manual was linked). Asking a question nobody can provide an answer for does not make me less of a n00b of course, but now I have to file "Why were unicast ARP requests ever a threat to anyone?" along with "Is there free will?", "What comes after death?" and "What's the shape of the universe?".
And that just feels kinda wrong :/

Seriously though, I know I'm blowing this out of proportion, plus I really don't mean to spam this list, so I'll just go with "At some point somebody needed that because reasons". Thanks for putting up with me.

----- Original Message -----
From: "Patrick Mullen" <pmullen at ...435...>
To: "Kevin Le Gouguec" <kevin.le-gouguec at ...3902...>
Cc: "Snort Sigs" <snort-sigs at lists.sourceforge.net>
Sent: Monday, May 19, 2014 6:44:11 PM
Subject: Re: [Snort-sigs] Unicast ARP Request: Considered Harmful?


You bring up very interesting points.  Without getting into technical
details, can we go with your answer of (paraphrasing) "why does anyone
care about this detection?"  This was written a very long time ago and
the threat landscape has changed.  My original claim to fame was the
first snort portscan preprocessor, written in 1999 but I'll be the
first to say nobody cares about portscans anymore.  :)

I don't mean to squash an interesting, technical discussion, but to
answer your question of why it exists I can't say much more than over
a decade ago someone thought it would be cool to write and since then
attack techniques have changed and many threats have completely
reversed direction.  A great example is back in 2004 we trusted Web
servers and spent our time blocking attackers against them.  We still
do that, of course, but these days more detection is centered around
blocking malicious content coming FROM Web servers than the other way

If you have further questions, I'd be more than happy to help out
where I can, but generally speaking I wouldn't enable ARP spoof
detection and wouldn't worry about it.



On Sun, May 18, 2014 at 5:33 PM, Kevin Le Gouguec
<kevin.le-gouguec at ...3902...> wrote:
> My point exactly! So what's the purpose of this rule since there's so many legitimate uses for unicast ARP?
> And the attack scenario I just described does not even necessitate unicast ARP. Looking again at the algorithm, the host only updates his translation table if a) the pair "IP address/MAC address" is already in his table or b) his IP is the one specified. So you can run the "attack" I described with broadcast requests, which means this rule about unicast ARP requests does not protect against that.
> So I still don't understand the purpose of this rule :/
> (I suppose this is somewhat insolent but I tried asking Jeff Nathan about this rule since he seems to have written it. Neither jeff at ...95... nor jeff at ...3903... work...)
> <SNIP>

Patrick Mullen
Response Research Manager
Sourcefire VRT

More information about the Snort-sigs mailing list