[Snort-users] Tcp session hijacking

Meysam Farazmand farazmand.meisam at ...11827...
Tue Aug 19 13:00:26 EDT 2014

Hi Jefferson,

When we do a man in the middle attack, all of devices arp tables updates
with mac address of attacker. So this changes in mac address should be
detect as session hijacking with stream5 preprocessor. Because stream5
check_session_hijacking option rely on changes in mac address of a tcp

Also my switch is unmanaged and has no capability of mac spoofing detection.
On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.Jefferson at ...14448...>

> Wouldn’t your MAC addresses just be those of your routers anyway?  Any
> non-trivial network (ie. Enterprise) probably won’t get much benefit from
> Snort trying to detect this.  You’re better off using the anti-mac spoofing
> features of your switches, IMO.
> *From:* Meysam Farazmand [mailto:farazmand.meisam at ...11827...]
> *Sent:* August 19, 2014 1:16 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Tcp session hijacking
> Hi Waldo,
> Thank you for reply.yes you're right. I am doing a project with snort and
> my project manager wants me to test snort session hijacking detection
> capability. If we assume that attacker does not use spoofed MAC address,
> similarity between session hijacking and mitm is that in both, MAC address
> of on side changes. So snort should detect this MAC address changing with
> stream5. Is it correct?
> On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:
> On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
> > Hi all,
> >
> > I used "check_session_hijacking" in stream5 preprocessor for session
> hijacking
> > attacks detection and launched a mitm attack. But snort did not detect
> it.
> session hijacking and mitm are not the same...
> session hijacking is where you take over or continue with someone's
> existing or
> previous session...
> mitm is where you are in the middle and have valid sessions with both
> parties
> and pass their traffic across while doing what you want with it in the
> middle...
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/802ce047/attachment.html>

More information about the Snort-users mailing list