[Snort-users] Tcp session hijacking

Jefferson, Shawn Shawn.Jefferson at ...14448...
Tue Aug 19 12:41:30 EDT 2014

Wouldn’t your MAC addresses just be those of your routers anyway?  Any non-trivial network (ie. Enterprise) probably won’t get much benefit from Snort trying to detect this.  You’re better off using the anti-mac spoofing features of your switches, IMO.

From: Meysam Farazmand [mailto:farazmand.meisam at ...11827...]
Sent: August 19, 2014 1:16 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Tcp session hijacking

Hi Waldo,

Thank you for reply.yes you're right. I am doing a project with snort and my project manager wants me to test snort session hijacking detection capability. If we assume that attacker does not use spoofed MAC address, similarity between session hijacking and mitm is that in both, MAC address of on side changes. So snort should detect this MAC address changing with stream5. Is it correct?
On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:
On 8/17/2014 5:37 AM, Meysam Farazmand wrote:
> Hi all,
> I used "check_session_hijacking" in stream5 preprocessor for session hijacking
> attacks detection and launched a mitm attack. But snort did not detect it.

session hijacking and mitm are not the same...

session hijacking is where you take over or continue with someone's existing or
previous session...

mitm is where you are in the middle and have valid sessions with both parties
and pass their traffic across while doing what you want with it in the middle...

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/35a99f7d/attachment.html>

More information about the Snort-users mailing list