[Snort-sigs] Unicast ARP Request: Considered Harmful?

Jamie Riden jamie.riden at ...2420...
Mon May 19 17:07:58 EDT 2014

With *most* of the sigs, you don't know how useful they are until you
deploy them. Then you tune out the less useful ones.

I didn't know about Cisco things, but I wouldn't expect normal PCs to
be doing unicast ARP. However, I might be wrong - that is the joy of
intrusion detection :)

I spent a fair amount of time wading through RFCs when running my
first production snort instance trying to figure out why a box was
doing something, and if it was meant to do so.


On 19 May 2014 21:31, Kevin Le Gouguec <kevin.le-gouguec at ...3902...> wrote:
> Thanks for your input!
> I guess I sounded a bit desperate and/or maybe even accusative, so just to make things clear:
> a) I don't doubt for a second that the author of the ARP preprocessor had a good reason for this unicast rule;
> b) I have no stakes whatsoever in whether this rule is, has been, or ever will be relevant. I'm not even a network admin.
> >From the beginning this has purely been a matter of curiosity :)
> (Okay I just finished this message and I think I should put a break here and warn that the following is mostly a rant. Not a mean one I swear! Well I don't know, I guess *nice* rants are oxymoronic but this one's more of an incredulous-sad-puppy rant. If that makes sense. Probably doesn't. Anyway. Please by all means skip the rest of this mail)
> I mean there's probably lots of documented examples of rituals from, I don't know, ancient Mayan tribes for which we have no explanation; the evidence is there, they used to build these weird huge statues, but whatever reason they had for making those is lost on us because they never bothered documenting why they did that. And they built the last one more than a millennium ago. So there, knowledge lost.
> But this is different. This rule is not even a century old, the guys who *did* have a use for it are probably still alive and can still remember the threat it answered to, even if now nobody cares because ARP polling is a thing and there are so many application layers stacked on each other where security can fail before having to dirty your hands at the link layer.
> I can sort of imagine that there could be some fields in IT where someone's very highly specific code from the 80s could find its way in a popular Open Source project and no one has a clue as to what it was supposed to do. Network Intrusion Detection though? I can understand terse documentation, but I wrote this question mostly thinking I was a n00b without imagination or in need of enlightenment (I would totally have accepted "RTFM" as a means to enlightenment too, provided said Manual was linked). Asking a question nobody can provide an answer for does not make me less of a n00b of course, but now I have to file "Why were unicast ARP requests ever a threat to anyone?" along with "Is there free will?", "What comes after death?" and "What's the shape of the universe?".
> And that just feels kinda wrong :/
> Seriously though, I know I'm blowing this out of proportion, plus I really don't mean to spam this list, so I'll just go with "At some point somebody needed that because reasons". Thanks for putting up with me.
> ----- Original Message -----
> From: "Patrick Mullen" <pmullen at ...435...>
> To: "Kevin Le Gouguec" <kevin.le-gouguec at ...3902...>
> Cc: "Snort Sigs" <snort-sigs at lists.sourceforge.net>
> Sent: Monday, May 19, 2014 6:44:11 PM
> Subject: Re: [Snort-sigs] Unicast ARP Request: Considered Harmful?
> Kevin,
> You bring up very interesting points.  Without getting into technical
> details, can we go with your answer of (paraphrasing) "why does anyone
> care about this detection?"  This was written a very long time ago and
> the threat landscape has changed.  My original claim to fame was the
> first snort portscan preprocessor, written in 1999 but I'll be the
> first to say nobody cares about portscans anymore.  :)
> I don't mean to squash an interesting, technical discussion, but to
> answer your question of why it exists I can't say much more than over
> a decade ago someone thought it would be cool to write and since then
> attack techniques have changed and many threats have completely
> reversed direction.  A great example is back in 2004 we trusted Web
> servers and spent our time blocking attackers against them.  We still
> do that, of course, but these days more detection is centered around
> blocking malicious content coming FROM Web servers than the other way
> around.
> If you have further questions, I'd be more than happy to help out
> where I can, but generally speaking I wouldn't enable ARP spoof
> detection and wouldn't worry about it.
> Thanks,
> ~Patrick
> On Sun, May 18, 2014 at 5:33 PM, Kevin Le Gouguec
> <kevin.le-gouguec at ...3902...> wrote:
>> My point exactly! So what's the purpose of this rule since there's so many legitimate uses for unicast ARP?
>> And the attack scenario I just described does not even necessitate unicast ARP. Looking again at the algorithm, the host only updates his translation table if a) the pair "IP address/MAC address" is already in his table or b) his IP is the one specified. So you can run the "attack" I described with broadcast requests, which means this rule about unicast ARP requests does not protect against that.
>> So I still don't understand the purpose of this rule :/
>> (I suppose this is somewhat insolent but I tried asking Jeff Nathan about this rule since he seems to have written it. Neither jeff at ...95... nor jeff at ...3903... work...)
>> <SNIP>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

More information about the Snort-sigs mailing list