[Snort-users] ARP poisoning and sniffing in a Switched Network

twig les twigles at ...131...
Wed Dec 17 13:34:01 EST 2003

--- CGhercoias at ...8619... wrote:
> Hello,
> Has anyone heard about Cain&Abel for Windows --
> http://www.oxid.it/cain.html ?
> ...it has a lot of new features like APR (Arp Poison Routing)
> which
> enables sniffing on switched LANs by hijacking IP traffic of
> multiple
> hosts at the same time. The sniffer can also analyze encrypted
> protocols
> such as SSH-1 and HTTPS if used with APR (ARP Poisoning
> Routing) and a
> Man-in-the-middle situation...
> I tested it personally and it is impressive. You can sniff
> anything from
> anywhere within the same subnet, it can spoof any IP address
> and any MAC
> address. 
> Is decrypting SSH sessions, telnet and HTTPS sessions.
> As far I can tell -- I don't want something like this in my
> corporate
> network! 
> Is there any rule for snort to catch this kind of ARP
> (illegal) traffic?
> Assuming that I turn on 'Port Security' in all switches, the
> problem
> still remains if some disgruntled employee is installing it
> and is
> making use of a real IP and a real MAC address.
> Not saying that it can cause DOS in the network because of the
> poisoning.
> As far as I know ARP is a stateless protocol that does not
> require any
> kind of authentication, so a simple ARP Reply packet sent to
> each host
> -- will force an update in their ARP Cache -- therefore ARP
> poisoning.

Yes, I have Cain&Abel (really fun tool) and yes there is a
preprocessor called arpspoof.  Search snort.conf for
"#preprocessor arpspoof" and remove the #.  There is a price to
pay for this preprocessor though.  You have to manually map IPs
and MACs, yuck.  Also if the ARP is not within your broadcast
domain you won't see it, so Snort won't know anything about it.

If you are really worried about this go for it.  Also, enabling
port protect (I assume you are referring to the small Cisco
Catalyst feature) is a great way to achieve compartmentalization
with little effort on your part, and most hosts should never
talk to each other directly anyhoo.

> Thank you, 
> ___________________________
> Catalin Ghercoias 
> WEB/Network Security Administrator 
> website: http://www.fye.com
> The content of this communication is classified as Trans World
> Entertainment Confidential and Proprietary Information. As
> such, it is
> intended solely for the use of the individual or entity to
> whom it is
> addressed and only others who are authorized to receive it. If
> you are
> not one of those, you are hereby notified that any disclosure,
> copying,
> distribution, or action in reliance on the contents of this
> information
> is strictly prohibited and may be unlawful. If you have
> received this
> communication in error, please notify us immediately by
> responding to
> this communication and then deleting it from your system. 

Ouch, pretty mean policy, I'm deleting this message now.  ;-)

Get a taste of Religion ... eat a priest!       

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Snort-users mailing list