No subject


Thu Nov 23 16:34:03 EST 2017


Source MAC: 00:08:a1:15:cd:d7
Source IP: 192.168.103.75

However, depending on the nature of infection, this information may not be
accurate.

Take a look in your snort.conf for information on Jeff Nathan's arpspoof
detection preprocessor.

Around 8:30am Martin Jr., D. Michael said:

MJDM :I am new to snort but think it can probably due what we need.  Recently
MJDM :we have been plagued by an on-slought of computer viruses on our
MJDM :residence hall computer network (I am the Network Admin for a
MJDM :University).  In any event, I have been using Ethereal to sniff our
MJDM :network and all of the infected computers seem to have one common
MJDM :denominator... They perform an ARP scan to identify other potential
MJDM :clients to infect and thus perform a Denial of Service attack on the
MJDM :campus as a result.  The sniffed traffic looks similar to this:
MJDM :
MJDM :   No. Time        Source                Destination           Protocol
MJDM :Info
MJDM :      1 0.000000    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.18?  Tell 192.168.103.75
MJDM :      2 0.013977    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.19?  Tell 192.168.103.75
MJDM :      3 0.018469    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.20?  Tell 192.168.103.75
MJDM :      4 0.034004    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.21?  Tell 192.168.103.75
MJDM :      5 0.049736    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.22?  Tell 192.168.103.75
MJDM :      6 0.065195    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.23?  Tell 192.168.103.75
MJDM :      7 0.081136    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.24?  Tell 192.168.103.75
MJDM :      8 0.096509    00:08:a1:15:cd:d7     ff:ff:ff:ff:ff:ff     ARP
MJDM :Who has 192.168.143.25?  Tell 192.168.103.75
MJDM :
MJDM :Any suggestions on the best way to get snort to detect and report this
MJDM :type of traffic???
MJDM :
MJDM :All I need is the hardware address of the culprit.  From there I can go
MJDM :to our DHCP server and ascertain the IP and any owner information.
MJDM :
MJDM :Thanks,
MJDM :
MJDM :Michael Martin
MJDM :University of Montevallo
MJDM :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister

Message dated: Oct 6




More information about the Snort-sigs mailing list