[Snort-users] Tcp session hijacking

Meysam Farazmand farazmand.meisam at ...11827...
Tue Aug 19 14:04:02 EDT 2014


Hi Waldo,

My testing network consists of four pc and an unmanaged switch and i don't
have any router. As i said before, i poisioned all of pc and switch arp
tables with "ettercap".so, when bening pc make a tcp connection to snort pc
and we poision its arp tables, the source mac address changes to mac
address of attacker and i expect, snort detect this changing.
On Aug 19, 2014 10:23 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

>
> top posting "corrected" to inline for readability... see my reply below...
>
> On 8/19/2014 1:00 PM, Meysam Farazmand wrote:
> > On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <
> Shawn.Jefferson at ...14448...> wrote:
> >>
> >>     Wouldn’t your MAC addresses just be those of your routers anyway?
> Any
> >>     non-trivial network (ie. Enterprise) probably won’t get much
> benefit from
> >>     Snort trying to detect this.  You’re better off using the anti-mac
> spoofing
> >>     features of your switches, IMO.____
> >
> > Hi Jefferson,
> >
> > When we do a man in the middle attack, all of devices arp tables updates
> with
> > mac address of attacker. So this changes in mac address should be detect
> as
> > session hijacking with stream5 preprocessor. Because stream5
> > check_session_hijacking option rely on changes in mac address of a tcp
> connection.
>
> i think that what jefferson is attempting to point out is that MAC
> addresses are
> only good on the current link... in other words, this chart shows 3 MAC
> address
> changes in the flow of traffic from A to B...
>
>      A -> router1 -> router2 -> B
>
> and this one shows 5 changes...
>
>      A -> router1 -> router2 -> router3 -> router4 -> B
>
> the source MAC and destination MAC inside the packet will change at each
> "->"...
> IIRC, this is the same for hubs and switches, too...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         Please *keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140819/d7f2e811/attachment.html>


More information about the Snort-users mailing list