[Snort-users] Tcp session hijacking

Meysam Farazmand farazmand.meisam at ...11827...
Tue Aug 19 10:37:38 EDT 2014


Hi Russ,

yeah i have all of this. I have 2 rules in my preprocessor.rules file for
session hijacking detection.
On Aug 19, 2014 5:30 PM, "Russ Combs (rucombs)" <rucombs at ...589...> wrote:

>  Do you have stream5_tcp: detect_anomalies set?  Do you have config
> autogenerate_preprocessor_decoder_rules or the stubs for 129:9 and 129:10
> included?
>
>  ------------------------------
> *From:* Meysam Farazmand [farazmand.meisam at ...11827...]
> *Sent:* Tuesday, August 19, 2014 8:40 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Tcp session hijacking
>
>   Hi,
>
> NP. Yes, i know.my problem is that although "ettercap" changes mac address
> of  victim during communication and i see this changes with wireshark, but
> snort does not generate any alert on this. Did you test this capability of
> snort?
> On Aug 19, 2014 5:03 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>
>>  Sorry about that.
>>
>>  129:9 and 129:10 are the preprocessor alerts.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Aug 19, 2014, at 8:02, "Meysam Farazmand" <farazmand.meisam at ...11827...>
>> wrote:
>>
>>   Hi Joel,
>>
>> But according to snort user manual, stream5 check_session_hijacking
>> option is based on mac address checking on both side of a communication.
>>
>> More exactly:
>> " Check for TCP session hijacking. This check validates the hardware
>> (MAC) address from both sides of the connect - as established on the 3-way
>> handshake against subsequent packets received on the session. If an
>> ethernet layer is not part of the protocol stack received by Snort, there
>> are no checks performed. Alerts are generated (per 'detect_anomalies'
>> option) for either the client or server when the MAC address for one side
>> or the other does not match. The default is set to off."
>> On Aug 19, 2014 4:24 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:
>>
>>> Stream5 does not do mac address tracking.
>>>
>>>
>>>  On Aug 19, 2014, at 4:16 AM, Meysam Farazmand <
>>> farazmand.meisam at ...11827...> wrote:
>>>
>>>  Hi Waldo,
>>>
>>> Thank you for reply.yes you're right. I am doing a project with snort
>>> and my project manager wants me to test snort session hijacking detection
>>> capability. If we assume that attacker does not use spoofed MAC address,
>>> similarity between session hijacking and mitm is that in both, MAC address
>>> of on side changes. So snort should detect this MAC address changing with
>>> stream5. Is it correct?
>>> On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
>>>
>>>> On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
>>>> > Hi all,
>>>> >
>>>> > I used "check_session_hijacking" in stream5 preprocessor for session
>>>> hijacking
>>>> > attacks detection and launched a mitm attack. But snort did not
>>>> detect it.
>>>>
>>>> session hijacking and mitm are not the same...
>>>>
>>>> session hijacking is where you take over or continue with someone's
>>>> existing or
>>>> previous session...
>>>>
>>>> mitm is where you are in the middle and have valid sessions with both
>>>> parties
>>>> and pass their traffic across while doing what you want with it in the
>>>> middle...
>>>>
>>>>
>>>> --
>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>         Please *keep mailing list traffic on the list* unless
>>>>         private contact is specifically requested and granted.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>> ------------------------------------------------------------------------------
>>
>>  _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/6dc2a649/attachment.html>


More information about the Snort-users mailing list