[Snort-users] ARP packets : important ?

Jeff Nathan jeff at ...950...
Tue Mar 5 14:19:02 EST 2002


Ryan Russell wrote:
> 
> On Tue, 5 Mar 2002, Ashley Thomas wrote:
> > >From an IDS point of view is it important to look at arp packets ?
> > is there any security threats / loop holes etc ?
> 
> ARP packets with bad information/for non-existant hosts may be indicative
> of someone playing games in order to be able to sniff on a switched
> network, or get traffic to flow through them in order to hijack
> connections.  There is also at least one ARP exploit I'm aware of that
> will allow someone to cause Cisco equipment to drop off the network
> (Jeff?)
> 
> However, to be able to spot many of these attacks, you have to have an
> idea of what "normal" ARP traffic is.  This would require a database of
> MAC and IP addresses.  I don't know if there is a plugin for Snort to do
> this.
> 
>                                         Ryan
> 

Er, yeah..

there are plenty of ARP games to be played but placing IDS on each of
your collision domains can be a complicated mess.  Snort has
spp_arpspoof which allows you to specify a mapping of IP addresses to
MAC addresses (if you're feeling brave).  If you don't specify a list,
you can use it to look for a few anomalies in ARP traffic.  Your mileage
may vary.

-Jeff


-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein




More information about the Snort-users mailing list