[Snort-users] ARP packets : important ?
jeff at ...950...
Tue Mar 5 14:19:02 EST 2002
Ryan Russell wrote:
> On Tue, 5 Mar 2002, Ashley Thomas wrote:
> > >From an IDS point of view is it important to look at arp packets ?
> > is there any security threats / loop holes etc ?
> ARP packets with bad information/for non-existant hosts may be indicative
> of someone playing games in order to be able to sniff on a switched
> network, or get traffic to flow through them in order to hijack
> connections. There is also at least one ARP exploit I'm aware of that
> will allow someone to cause Cisco equipment to drop off the network
> However, to be able to spot many of these attacks, you have to have an
> idea of what "normal" ARP traffic is. This would require a database of
> MAC and IP addresses. I don't know if there is a plugin for Snort to do
there are plenty of ARP games to be played but placing IDS on each of
your collision domains can be a complicated mess. Snort has
spp_arpspoof which allows you to specify a mapping of IP addresses to
MAC addresses (if you're feeling brave). If you don't specify a list,
you can use it to look for a few anomalies in ARP traffic. Your mileage
http://jeff.wwti.com (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
More information about the Snort-users