[Snort-users] Tcp session hijacking

Meysam Farazmand farazmand.meisam at ...11827...
Tue Aug 19 08:40:26 EDT 2014


Hi,

NP. Yes, i know.my problem is that although "ettercap" changes mac address
of  victim during communication and i see this changes with wireshark, but
snort does not generate any alert on this. Did you test this capability of
snort?
On Aug 19, 2014 5:03 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:

>  Sorry about that.
>
>  129:9 and 129:10 are the preprocessor alerts.
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Aug 19, 2014, at 8:02, "Meysam Farazmand" <farazmand.meisam at ...11827...>
> wrote:
>
>   Hi Joel,
>
> But according to snort user manual, stream5 check_session_hijacking option
> is based on mac address checking on both side of a communication.
>
> More exactly:
> " Check for TCP session hijacking. This check validates the hardware (MAC)
> address from both sides of the connect - as established on the 3-way
> handshake against subsequent packets received on the session. If an
> ethernet layer is not part of the protocol stack received by Snort, there
> are no checks performed. Alerts are generated (per 'detect_anomalies'
> option) for either the client or server when the MAC address for one side
> or the other does not match. The default is set to off."
> On Aug 19, 2014 4:24 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>
>> Stream5 does not do mac address tracking.
>>
>>
>>  On Aug 19, 2014, at 4:16 AM, Meysam Farazmand <
>> farazmand.meisam at ...11827...> wrote:
>>
>>  Hi Waldo,
>>
>> Thank you for reply.yes you're right. I am doing a project with snort and
>> my project manager wants me to test snort session hijacking detection
>> capability. If we assume that attacker does not use spoofed MAC address,
>> similarity between session hijacking and mitm is that in both, MAC address
>> of on side changes. So snort should detect this MAC address changing with
>> stream5. Is it correct?
>> On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
>>
>>> On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
>>> > Hi all,
>>> >
>>> > I used "check_session_hijacking" in stream5 preprocessor for session
>>> hijacking
>>> > attacks detection and launched a mitm attack. But snort did not detect
>>> it.
>>>
>>> session hijacking and mitm are not the same...
>>>
>>> session hijacking is where you take over or continue with someone's
>>> existing or
>>> previous session...
>>>
>>> mitm is where you are in the middle and have valid sessions with both
>>> parties
>>> and pass their traffic across while doing what you want with it in the
>>> middle...
>>>
>>>
>>> --
>>>   NOTE: No off-list assistance is given without prior approval.
>>>         Please *keep mailing list traffic on the list* unless
>>>         private contact is specifically requested and granted.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
> ------------------------------------------------------------------------------
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/1b0221a9/attachment.html>


More information about the Snort-users mailing list