[Snort-users] Re: ARPSpoof!
This is a discussion on [Snort-users] Re: ARPSpoof! within the Snort forums, part of the System Security and Security Related category; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew, I'm afraid you don't understand what arpspoofing is. Let me explain ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2004
|
|||
|
|||
[Snort-users] Re: ARPSpoof!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Andrew, I'm afraid you don't understand what arpspoofing is. Let me explain what the preprocessor is designed to do and why your tests are never going to generate arpspoof alerts. When computers communicate using IP over Ethernet, it is often necessary to determine the Ethernet, or layer 2, address of an IP address. Regardless of whether your packets must be routed through an IP router, or your computer is physically connected to the same Ethernet as another computer, the next hop address (in the case of routing), or the destination address (in the case of being directly connected) must be determined at layer 2. Before your computer can send IP packets to another, it consults its routing table. If the destination must be reached through a router, your computer will send the IP packets through the router, if it is directly connected your computer will simply send the packets directly to the destination. ARP, or Address Resolution Protocol, figures out the hardware (Ethernet in most cases) address of an IP address. Whether routing or delivering Ethernet frames directly to another computer, the hardware address of the destination or router must be determined. Your computer will send an ARP request to the Ethernet broadcast address (ff:ff:ff:ff:ff:ff) asking for the hardware address associated with that IP address. If a system is connected to the network and assigned that IP address, it is expected to answer by sending an ARP reply back to your computer containing its hardware address. The configuration of the arpspoof preprocessor requires that you specify an IP address/ethernet address pair for a given host. If the preprocessor observes an ARP frame where the SENDER IP address matches one of the configuration entries you have added to snort.conf and the SENDER hardware address does not match the configuration, an alert is generated. Here is the basic logic: In snort.conf you have an IP address A / Ethernet address X pair in snort.conf IF snort sees an ARP frame where the sender is IP address A IF the Ethernet address is *NOT* X THEN snort generates an alert Let me dissect your tests. First, your configuration specifies two IP/mac address pairs to monitor: preprocessor arpspoof_detect_host: 192.168.4.100 00:20:ED:00:CC:78 preprocessor arpspoof_detect_host: 192.168.4.68 00:02:B3:62:8C:D6 the tcpdump formatted file you sent me contains only two ARP frames: (mangler):~/Desktop/tcpdump$ 22: tcpdump -entvvr ethereal.log arp | more 00:02:b3:a4:97:5a ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.4.68 tell 192.168.4.25 00:02:b3:62:8c:d6 00:02:b3:a4:97:5a 0806 60: arp reply 192.168.4.68 is-at 00:02:b3:62:8c:d6 First, it is important to notice that ARP frames are seen for 192.168.4.68 ONLY. No ARP frames are seen for the other IP address. Second, as observed from the tcpdump output, the hardware address in the ARP frames *MATCHES* the hardware address you have specified in your configuration. Therefore, there is nothing to alert on. By specifying an IP address/Ethernet address pair in snort.conf, you are instructing Snort to alert when it sees a *DIFFERENT* hardware address for that IP address, and not when it sees the correct hardware address. I would love to explain this in more detail, but I think you would benefit greatly from reading up on ARP before I elaborate too much more. Please, before you use spp_arpspoof please ensure you know what it is intended to do. Regards, - -Jeff On Feb 17, 2004, at 10:27 PM, Andrew Steven wrote: > Hi Jeff, > Happy to see you mailing me out of your busy schedules. Am sorry to > disturb > you as i find no other better person than you, who can guide me on the > problems i face with ARP. Herewith i enclose the tcpdump from snort as > well > as the captured file from ethereal for your perusal. Am using NMAP to > generate the ARP frames. > > The configurations in the snort.conf is > preprocessor arpspoof > preprocessor arpspoof_detect_host: 192.168.4.100 00:20:ED:00:CC:78 > preprocessor arpspoof_detect_host: 192.168.4.68 00:02:B3:62:8C:D6 > > My problem is, am always seeing the ARP frame only for the last host > in the > configuration. for e.g in this case 192.168.4.68. If i add one more > IP/MAC > pair after 192.168.4.68, then i do get the ARP frames for the lastly > entered > IP/MAC pair only. > > PSA the tcpdump files. > > Thanks in Advance. > Regards, > Lora. > > >> From: Jeff Nathan <jeff@snort.org> >> To: "Andrew Steven" <andtan_sg@hotmail.com> >> CC: snort-users@lists.sourceforge.net >> Subject: Re: ARPSpoof! >> Date: Tue, 17 Feb 2004 20:23:04 -0500 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Andrew, >> >> I am very busy with my day job and have limited time to work on Snort >> related projects for the next few weeks. >> >> In order for me to address your question, I need *MUCH* more >> information. >> >> How are you generating ARP frames to test arpspoof? >> >> Are you adding entries to the snort.conf file where the hardware >> address >> slightly differs from the correct hardware address? >> >> Are you using a piece of software to generate ARP frames? >> >> Can you send me a tcpdump formatted capture file from the machine >> running >> snort? Please do something like this to save the file: tcpdump - -s >> 100 -w >> arp.out arp >> >> I cannot help you without knowing more. For example, from the >> information >> you have provided I cannot determine whether or not ARP frames are >> being >> generated which would match the in-memory configuration of >> spp_arpspoof. >> Also, I cannot confirm that the system running snort can see these ARP >> frames, which might occur due to your network topology. >> >> I will do my best to answer your question once I have more >> information. >> >> Thank you for understanding that I'm a volunteer. >> >> - -Jeff >> >> >> On Feb 17, 2004, at 8:01 PM, Andrew Steven wrote: >> >>> Hi, >>> How are you? Hope you would have seen my mail to the mailing list >>> regarding the ARP cache overwrite attacks. I will tell you how i >>> performed >>> my test on snort. Disabled all other preprocessors except the >>> following in >>> snort.conf. >>> preprocessor arpspoof >>> preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E >>> preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03 >>> >>> Enabled the tcpdump logging for snort and simultaneously made the >>> ethereal >>> also to sniff. In ethereal i could see the step by step packets like >>> ARP >>> request, ARP reply and so on... But in snort's tcpdump, i didnt see >>> any >>> ARP request or ARP reply but instead an ICMP packet where both the >>> source >>> IP and destination IP's MAC address are resolved. What happened to >>> the ARP >>> packets. Dropped? >>> >>> One more criteria, >>> >>> preprocessor arpspoof >>> preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E >>> >>> Havinag only one configuration is fine. Snort's TCPDump has the ARP >>> packets and there by raising the ARP cache overwrite attacks. >>> >>> These are my findings. Awaiting for your reply. >>> Regards, >>> Andrew. >>> >>> __________________________________________________ _______________ >>> Keep track of Singapore & Malaysia stock prices. >>> http://www.msn.com.sg/money/ >>> >>> >> >> - -- >> Custom packets with little to no money down. >> http://nemesis.sourceforge.net >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.4 (Darwin) >> >> iD8DBQFAMr57Eqr8+Gkj0/0RAusIAKDBNeYxP3LuIoKI4zP8KoV8041xfgCcCFn+ >> vQmWuhTiiAKRv0hLce7/sLk= >> =QZu7 >> -----END PGP SIGNATURE----- >> > > __________________________________________________ _______________ > Find love on MSN Personals http://personals.msn.com.sg/ > <tcpdump.zip> - -- The original EZ-bake packet oven. http://nemesis.sourceforge.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAMua8Eqr8+Gkj0/0RAsCJAJ41Cn9oZCKkPgnbyuhVov7nt7hl/ACfY+vB o9pDZ5lfvAZUfFGhCeDK7nE= =szB+ -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
