[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] ARP Pisoning, etc.
On 9/20/05, Soldatov, Sergey V. <SVSoldatov@xxxxxxxxxx> wrote:
> 1. ARP Poisoning can be used for sniffing in switched network. As I
> understand (please, correct me if I'm wrong) the only way for Network
> sensor to detect ARP poisoning is signature IP_Duplicate, which detects
> two or more computers on network using the same IP address. IP_Duplicate
> has a lot of false positives because of clusters (server clusters,
> router cluster with HSRP, etc) and it's no ability to tune this
> signature with event filters, because its impossible to create filters
> for event details (because different MACs of IP are specified in event
> details). Most of IP_Duplicate events in my environment are FP. Does the
> only way for me is to supply enhancements request to ISS to realize the
> ability to create filters for event details? Unfortunately, I think,
> this can't be done soon. Does someone have ideas about ARP Poisoning
> detection? ANY feedback will be welcome.
Actually, arp poisoning doesn't show up as duplicate IP address.
Remember what layer ARP is? Layer 2 which means it is all MAC based.
Look at a program called arpwatch. It does what you want it to do. Look for
arp poisoning. It does false on a few things but way better then ISS in MHO.
> 2. Another question addressed to someone from ISS. There is a very
> useful event - SensorStatistics. It can be used for behavior based
> (statistical) analysis. I can do this by hand (for example, by SEC.pl I
> can store statistics in database, and analyze delta), but may be ISS
> plan this analysis in future?? Should I supply enhancements request for
> this need too?
> Best regards, Sergey V. Soldatov.
> Information security department.
> tel/fax +7 095 745 89 50
> tel +7 095 777 77 07 (1613)
> ISSForum mailing list
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.