[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] ARP Pisoning, etc.



If you have a cisco environment, use port security and map one mac to an
IP. If arp poisoning occurs you can have the port shut down
automatically

Scott Johnson
CISSP, GSEC
ERCOT Cyber Security
(512) 248-3152

> -----Original Message-----
> From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] On
Behalf
> Of Chris Lyon
> Sent: Tuesday, September 20, 2005 11:11 AM
> To: Soldatov, Sergey V.
> Cc: issforum@xxxxxxx
> Subject: Re: [ISSForum] ARP Pisoning, etc.
> 
> On 9/20/05, Soldatov, Sergey V. <SVSoldatov@xxxxxxxxxx> wrote:
> >
> > 1. ARP Poisoning can be used for sniffing in switched network. As I
> > understand (please, correct me if I'm wrong) the only way for
Network
> > sensor to detect ARP poisoning is signature IP_Duplicate, which
detects
> > two or more computers on network using the same IP address.
IP_Duplicate
> > has a lot of false positives because of clusters (server clusters,
> > router cluster with HSRP, etc) and it's no ability to tune this
> > signature with event filters, because its impossible to create
filters
> > for event details (because different MACs of IP are specified in
event
> > details). Most of IP_Duplicate events in my environment are FP. Does
the
> > only way for me is to supply enhancements request to ISS to realize
the
> > ability to create filters for event details? Unfortunately, I think,
> > this can't be done soon. Does someone have ideas about ARP Poisoning
> > detection? ANY feedback will be welcome.
> 
>  Actually, arp poisoning doesn't show up as duplicate IP address.
> Remember what layer ARP is? Layer 2 which means it is all MAC based.
> Look at a program called arpwatch. It does what you want it to do.
Look
> for
> arp poisoning. It does false on a few things but way better then ISS
in
> MHO.
> 
> 
> > 2. Another question addressed to someone from ISS. There is a very
> > useful event - SensorStatistics. It can be used for behavior based
> > (statistical) analysis. I can do this by hand (for example, by
SEC.pl I
> > can store statistics in database, and analyze delta), but may be ISS
> > plan this analysis in future?? Should I supply enhancements request
for
> > this need too?
> >
> > ---
> > Best regards, Sergey V. Soldatov.
> > Information security department.
> > tel/fax +7 095 745 89 50
> > tel +7 095 777 77 07 (1613)
> >
> >
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@xxxxxxx
> >
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> > To contact the ISSForum Moderator, send email to
mod-issforum@xxxxxxx
> >
> > The ISSForum mailing list is hosted and managed by Internet Security
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> >
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-
> mm1.iss.net/mailman/listinfo/issforum
> 
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> 
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.



_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.