[Snort-users] spoof detection in snort

roel at ...47... roel at ...47...
Tue May 1 17:56:10 EDT 2001


Geoff,

I've been working off and on on this, it deals with changing MAC addresses and 
DHCP. (That is where it gets complicated really.) Hopefully I will release this
piece of code shortly after my short vacation. (couple weeks from now, barring
nothing else major comes up.)

It straddles the line between your manual and auto, it does auto, what it can do
auto, it does require that you give it the default router however. The reason
for that is so it can associate one particular mac address with foreign IP 
addresses, so it can directly identify spoofing attempts. It also tracks if 
there is more than a 1:1 relationship. (Multiple MAC's have same IP, Multiple
IP's have same MAC.)

The only weakness is that it need to be plugged in to a local area network of
the ethernet variety, sitting it behind a router buys you very little....

roel

> 
> G'day.
> 
> Unless snort already has this ability, which I have missed somwhow,
> I would like to sit down and write a spoof alert preprocessor.
> Comments are solicited on the following plan.
> 
> -------
> Spoof Alert Preproccesor
> 
> Purpose:
> Inspect network traffic  to determine if a packet
> with a foreign IP source address has the ARP address of
> (one of) the adjacent router(s).  If no, then flag the 
> packet as a likely spoof.
> 
> Settings:
> 
> AUTO.  In auto mode, the preprocessor analyzes the routing
> table for the host that snort is running on and automatically
> associates the ARP address with the routers IP address.  No
> muss, no fuss.  The primary question is should that be done
> by merely querying the routing table on the host, or actually
> generating route requests from the application in order to 
> take into account multiple routing posssibilities from the
> local network segment that the host may not be aware of
> (think hosts with default routes and no routing daemons
> enabiled).
> 
> The primary advantage to generating queries is if a router
> ARP address changes for some reason (regular network 
> maintanence or failed router) without the knowledge of the
> security team running the NIDS box, and thereby generating
> reams of false alarms.  If a change is detected, the preprocessor
> should log that fact in the form of an alert.  In this case 
> the route query would be generated upon startup of the
> application, and then merely wait for events, there should
> be no futher route queries.
> 
> 
> MANUAL.  In manual mode, provide a list of IP addresses
> and possibly assocated ARP addresses of valid routers
> on the local network segment.
> 
> 
> ---------------------------------
> 
> I'm a neophyte at network programming, so good pointers
> to resources would be appreciated as well.  Additionally,
> if there are code examples of utilities that do this now,
> I would appreciate a pointer in that direction.
> 
> 
> -geoff
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
roel
Silicon Defense: Technical Support for Snort!
http://www.SiliconDefense.com







More information about the Snort-users mailing list