[Snort-users] Re: ARPSpoof!

Jeff Nathan jeff at ...950...
Tue Feb 17 17:28:04 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew,

I am very busy with my day job and have limited time to work on Snort 
related projects for the next few weeks.

In order for me to address your question, I need *MUCH* more 
information.

How are you generating ARP frames to test arpspoof?

Are you adding entries to the snort.conf file where the hardware 
address slightly differs from the correct hardware address?

Are you using a piece of software to generate ARP frames?

Can you send me a tcpdump formatted capture file from the machine 
running snort?  Please do something like this to save the file: tcpdump 
- -s 100 -w arp.out arp

I cannot help you without knowing more.  For example, from the 
information you have provided I cannot determine whether or not ARP 
frames are being generated which would match the in-memory 
configuration of spp_arpspoof.  Also, I cannot confirm that the system 
running snort can see these ARP frames, which might occur due to your 
network topology.

I will do my best to answer your question once I have more information.

Thank you for understanding that I'm a volunteer.

- -Jeff


On Feb 17, 2004, at 8:01 PM, Andrew Steven wrote:

> Hi,
> How are you? Hope you would have seen my mail to the mailing list 
> regarding the ARP cache overwrite attacks. I will tell you how i 
> performed my test on snort. Disabled all other preprocessors except 
> the following in snort.conf.
> preprocessor arpspoof
> preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E
> preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03
>
> Enabled the tcpdump logging for snort and simultaneously made the 
> ethereal also to sniff. In ethereal i could see the step by step 
> packets like ARP request, ARP reply and so on... But in snort's 
> tcpdump, i didnt see any ARP request or ARP reply but instead an ICMP 
> packet where both the source IP and destination IP's MAC address are 
> resolved. What happened to the ARP packets. Dropped?
>
> One more criteria,
>
> preprocessor arpspoof
> preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E
>
> Havinag only one configuration is fine. Snort's TCPDump has the ARP 
> packets and there by raising the ARP cache overwrite attacks.
>
> These are my findings. Awaiting for your reply.
> Regards,
> Andrew.
>
> _________________________________________________________________
> Keep track of Singapore & Malaysia stock prices. 
> http://www.msn.com.sg/money/
>
>

- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAMr57Eqr8+Gkj0/0RAusIAKDBNeYxP3LuIoKI4zP8KoV8041xfgCcCFn+
vQmWuhTiiAKRv0hLce7/sLk=
=QZu7
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list