[Snort-users] Re: ARPSpoof!

Jeff Nathan jeff at ...950...
Tue Feb 17 20:21:01 EST 2004

Hash: SHA1


I'm afraid you don't understand what arpspoofing is.

Let me explain what the preprocessor is designed to do and why your 
tests are never going to generate arpspoof alerts.

When computers communicate using IP over Ethernet, it is often 
necessary to determine the Ethernet, or layer 2, address of an IP 

Regardless of whether your packets must be routed through an IP router, 
or your computer is physically connected to the same Ethernet as 
another computer, the next hop address (in the case of routing), or the 
destination address (in the case of being directly connected) must be 
determined at layer 2.

Before your computer can send IP packets to another, it consults its 
routing table.  If the destination must be reached through a router, 
your computer will send the IP packets through the router, if it is 
directly connected your computer will simply send the packets directly 
to the destination.

ARP, or Address Resolution Protocol, figures out the hardware (Ethernet 
in most cases) address of an IP address.  Whether routing or delivering 
Ethernet frames directly to another computer, the hardware address of 
the destination or router must be determined.

Your computer will send an ARP request to the Ethernet broadcast 
address (ff:ff:ff:ff:ff:ff) asking for the hardware address associated 
with that IP address.  If a system is connected to the network and 
assigned that IP address, it is expected to answer by sending an ARP 
reply back to your computer containing its hardware address.

The configuration of the arpspoof preprocessor requires that you 
specify an IP address/ethernet address pair for a given host.  If the 
preprocessor observes an ARP frame where the SENDER IP address matches 
one of the configuration entries you have added to snort.conf and the 
SENDER hardware address does not match the configuration, an alert is 

Here is the basic logic:

In snort.conf you have an IP address A / Ethernet address X pair in 

IF snort sees an ARP frame where the sender is IP address A
     IF the Ethernet address is *NOT* X
         THEN snort generates an alert

Let me dissect your tests.  First, your configuration specifies two 
IP/mac address pairs to monitor:
preprocessor arpspoof_detect_host: 00:20:ED:00:CC:78
preprocessor arpspoof_detect_host: 00:02:B3:62:8C:D6

the tcpdump formatted file you sent me contains only two ARP frames:

(mangler):~/Desktop/tcpdump$ 22: tcpdump -entvvr ethereal.log arp | more
00:02:b3:a4:97:5a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 
00:02:b3:62:8c:d6 00:02:b3:a4:97:5a 0806 60: arp reply 
is-at 00:02:b3:62:8c:d6

First, it is important to notice that ARP frames are seen for ONLY.  No ARP frames are seen for the other IP address.  
Second, as observed from the tcpdump output, the hardware address in 
the ARP frames *MATCHES* the hardware address you have specified in 
your configuration.  Therefore, there is nothing to alert on.

By specifying an IP address/Ethernet address pair in snort.conf, you 
are instructing Snort to alert when it sees a *DIFFERENT* hardware 
address for that IP address, and not when it sees the correct hardware 

I would love to explain this in more detail, but I think you would 
benefit greatly from reading up on ARP before I elaborate too much 
more.  Please, before you use spp_arpspoof please ensure you know what 
it is intended to do.


- -Jeff

On Feb 17, 2004, at 10:27 PM, Andrew Steven wrote:

> Hi Jeff,
> Happy to see you mailing me out of your busy schedules. Am sorry to 
> disturb
> you as i find no other better person than you, who can guide me on the
> problems i face with ARP. Herewith i enclose the tcpdump from snort as 
> well
> as the captured file from ethereal for your perusal. Am using NMAP to
> generate the ARP frames.
> The configurations in the snort.conf is
> preprocessor arpspoof
> preprocessor arpspoof_detect_host: 00:20:ED:00:CC:78
> preprocessor arpspoof_detect_host: 00:02:B3:62:8C:D6
> My problem is, am always seeing the ARP frame only for the last host 
> in the
> configuration. for e.g in this case If i add one more 
> pair after, then i do get the ARP frames for the lastly 
> entered
> IP/MAC pair only.
> PSA the tcpdump files.
> Thanks in Advance.
> Regards,
> Lora.
>> From: Jeff Nathan <jeff at ...950...>
>> To: "Andrew Steven" <andtan_sg at ...125...>
>> CC: snort-users at lists.sourceforge.net
>> Subject: Re: ARPSpoof!
>> Date: Tue, 17 Feb 2004 20:23:04 -0500
>> Hash: SHA1
>> Andrew,
>> I am very busy with my day job and have limited time to work on Snort
>> related projects for the next few weeks.
>> In order for me to address your question, I need *MUCH* more 
>> information.
>> How are you generating ARP frames to test arpspoof?
>> Are you adding entries to the snort.conf file where the hardware 
>> address
>> slightly differs from the correct hardware address?
>> Are you using a piece of software to generate ARP frames?
>> Can you send me a tcpdump formatted capture file from the machine 
>> running
>> snort?  Please do something like this to save the file: tcpdump - -s 
>> 100 -w
>> arp.out arp
>> I cannot help you without knowing more.  For example, from the 
>> information
>> you have provided I cannot determine whether or not ARP frames are 
>> being
>> generated which would match the in-memory configuration of 
>> spp_arpspoof.
>> Also, I cannot confirm that the system running snort can see these ARP
>> frames, which might occur due to your network topology.
>> I will do my best to answer your question once I have more 
>> information.
>> Thank you for understanding that I'm a volunteer.
>> - -Jeff
>> On Feb 17, 2004, at 8:01 PM, Andrew Steven wrote:
>>> Hi,
>>> How are you? Hope you would have seen my mail to the mailing list
>>> regarding the ARP cache overwrite attacks. I will tell you how i 
>>> performed
>>> my test on snort. Disabled all other preprocessors except the 
>>> following in
>>> snort.conf.
>>> preprocessor arpspoof
>>> preprocessor arpspoof_detect_host: 00:D0:59:26:85:5E
>>> preprocessor arpspoof_detect_host: 00:D0:B7:44:9E:03
>>> Enabled the tcpdump logging for snort and simultaneously made the 
>>> ethereal
>>> also to sniff. In ethereal i could see the step by step packets like 
>>> ARP
>>> request, ARP reply and so on... But in snort's tcpdump, i didnt see 
>>> any
>>> ARP request or ARP reply but instead an ICMP packet where both the 
>>> source
>>> IP and destination IP's MAC address are resolved. What happened to 
>>> the ARP
>>> packets. Dropped?
>>> One more criteria,
>>> preprocessor arpspoof
>>> preprocessor arpspoof_detect_host: 00:D0:59:26:85:5E
>>> Havinag only one configuration is fine. Snort's TCPDump has the ARP
>>> packets and there by raising the ARP cache overwrite attacks.
>>> These are my findings. Awaiting for your reply.
>>> Regards,
>>> Andrew.
>>> _________________________________________________________________
>>> Keep track of Singapore & Malaysia stock prices.
>>> http://www.msn.com.sg/money/
>> - --
>> Custom packets with little to no money down.
>> http://nemesis.sourceforge.net
>> Version: GnuPG v1.2.4 (Darwin)
>> iD8DBQFAMr57Eqr8+Gkj0/0RAusIAKDBNeYxP3LuIoKI4zP8KoV8041xfgCcCFn+
>> vQmWuhTiiAKRv0hLce7/sLk=
>> =QZu7
>> -----END PGP SIGNATURE-----
> _________________________________________________________________
> Find love on MSN Personals http://personals.msn.com.sg/
> <tcpdump.zip>

- --
The original EZ-bake packet oven.
Version: GnuPG v1.2.4 (Darwin)


More information about the Snort-users mailing list