[Snort-users] ARP packets : important ?

Ryan Russell ryan at ...35...
Tue Mar 5 13:11:23 EST 2002


On Tue, 5 Mar 2002, Ashley Thomas wrote:
> >From an IDS point of view is it important to look at arp packets ?
> is there any security threats / loop holes etc ?

ARP packets with bad information/for non-existant hosts may be indicative
of someone playing games in order to be able to sniff on a switched
network, or get traffic to flow through them in order to hijack
connections.  There is also at least one ARP exploit I'm aware of that
will allow someone to cause Cisco equipment to drop off the network
(Jeff?)

However, to be able to spot many of these attacks, you have to have an
idea of what "normal" ARP traffic is.  This would require a database of
MAC and IP addresses.  I don't know if there is a plugin for Snort to do
this.

					Ryan





More information about the Snort-users mailing list