[Snort-users] How to detect massive ARPing from Ettercap?

Gary Flynn flynngn at ...6811...
Fri Sep 27 10:46:03 EDT 2002

twig les wrote:
> Hey *, my latest spare-time toy is ettercap
> (ettercap.sourceforge.net), which among many other
> things, can map its subnet in about 10 seconds thru
> massive arping.  Unfortunately my snort box didn't see
> this happening.  More accurately, it saw it but didn't
> generate any alerts.  I know it saw it because I ran
> tcpdump on the snort box also.

Yea. I played with it a few months ago and lost
a lot of confidence in switched networks and SSH
as packet sniffing prevention measures :)

There is an arpspoof module listed in the snort.conf file.
I haven't tried it.

Of course, the box doing the monitoring would have to
be on the segment where the arpspoofing is occurring.
You wouldn't see it on the other side of a router

Another tool I've heard of in this respect is arpwatch.
Again, it would have to be deployed on each segment.

You may be able to do something with regular monitoring
of your core router arp caches too.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the Snort-users mailing list