[Snort-users] spoof detection in snort

Geoff the UNIX guy galitz at ...247...
Sun Apr 29 22:19:17 EDT 2001


Unless snort already has this ability, which I have missed somwhow,
I would like to sit down and write a spoof alert preprocessor.
Comments are solicited on the following plan.

Spoof Alert Preproccesor

Inspect network traffic  to determine if a packet
with a foreign IP source address has the ARP address of
(one of) the adjacent router(s).  If no, then flag the 
packet as a likely spoof.


AUTO.  In auto mode, the preprocessor analyzes the routing
table for the host that snort is running on and automatically
associates the ARP address with the routers IP address.  No
muss, no fuss.  The primary question is should that be done
by merely querying the routing table on the host, or actually
generating route requests from the application in order to 
take into account multiple routing posssibilities from the
local network segment that the host may not be aware of
(think hosts with default routes and no routing daemons

The primary advantage to generating queries is if a router
ARP address changes for some reason (regular network 
maintanence or failed router) without the knowledge of the
security team running the NIDS box, and thereby generating
reams of false alarms.  If a change is detected, the preprocessor
should log that fact in the form of an alert.  In this case 
the route query would be generated upon startup of the
application, and then merely wait for events, there should
be no futher route queries.

MANUAL.  In manual mode, provide a list of IP addresses
and possibly assocated ARP addresses of valid routers
on the local network segment.


I'm a neophyte at network programming, so good pointers
to resources would be appreciated as well.  Additionally,
if there are code examples of utilities that do this now,
I would appreciate a pointer in that direction.


More information about the Snort-users mailing list