[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] ARP Pisoning, etc.





________________________________

	From: Chris Lyon [mailto:cslyon@xxxxxxxxx] 
	Sent: Tuesday, September 20, 2005 8:11 PM
	To: Soldatov, Sergey V.
	Cc: issforum@xxxxxxx
	Subject: Re: [ISSForum] ARP Pisoning, etc.
	
	
	On 9/20/05, Soldatov, Sergey V. <SVSoldatov@xxxxxxxxxx> wrote: 

		1. ARP Poisoning can be used for sniffing in switched
network. As I
		understand (please, correct me if I'm wrong) the only
way for Network 
		sensor to detect ARP poisoning is signature
IP_Duplicate, which detects
		two or more computers on network using the same IP
address. IP_Duplicate
		has a lot of false positives because of clusters (server
clusters, 
		router cluster with HSRP, etc) and it's no ability to
tune this
		signature with event filters, because its impossible to
create filters
		for event details (because different MACs of IP are
specified in event
		details). Most of IP_Duplicate events in my environment
are FP. Does the 
		only way for me is to supply enhancements request to ISS
to realize the
		ability to create filters for event details?
Unfortunately, I think,
		this can't be done soon. Does someone have ideas about
ARP Poisoning
		detection? ANY feedback will be welcome.

	 
	Actually, arp poisoning doesn't show up as duplicate IP address.

	Remember what layer ARP is? Layer 2 which means it is all MAC
based. 
	Look at a program called arpwatch. It does what you want it to
do. Look for arp poisoning. It does false on a few things but way better
then ISS in MHO. 
	

	
	[svs] ARP poisoning in ISS CAN be detected as IP duplicate and
this is the only way. IP_Duplicate event detects two or more computers
which are using the same IP - sensor looks for IP-MAC accordance and
generate event if it find sequence IP-MAC2 where MAC != MAC2. Remember
ARP poisoning: bad guy generate a lot of ARP responses with its MAC and
IP of router and if victim has dynamic ARP cache (almost always its so),
soon victim's ARP cache will contain attacker's MAC and router's IP, so
all victim's traffic to another subnet (VLAN) will be forwarded to
attacker's machine as to the  router. This type of attacks sometimes can
be detected by great number of ARP responses (it's can be detected by
some statistical analysis of traffic and it's what about my second
question), but not always. 

	Arpwatch. Of course I know this tool, but I can't use it in my
environment, because nothing except Network sensor can listen on
interface on which ISS high performance gigabit driver is installed
(unfortunately, I use Gigabit sensor and can't access my monitoring
interface :-(( )

	 

	Thank you for your feedback, good luck!
	

	 

	

		2. Another question addressed to someone from ISS. There
is a very
		useful event - SensorStatistics. It can be used for
behavior based 
		(statistical) analysis. I can do this by hand (for
example, by SEC.pl I
		can store statistics in database, and analyze delta),
but may be ISS
		plan this analysis in future?? Should  I supply
enhancements request for 
		this need too?
		
		---
		Best regards, Sergey V. Soldatov.
		Information security department.
		tel/fax +7 095 745 89 50
		tel +7 095 777 77 07 (1613)
		
		
		_______________________________________________
		ISSForum mailing list
		ISSForum@xxxxxxx
		
		TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum 
		
		To contact the ISSForum Moderator, send email to
mod-issforum@xxxxxxx
		
		The ISSForum mailing list is hosted and managed by
Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA
30328. 
		


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.