[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] ARP Pisoning, etc.
If you have a cisco environment, use port security and map one mac to an
IP. If arp poisoning occurs you can have the port shut down
ERCOT Cyber Security
> -----Original Message-----
> From: issforum-bounces@xxxxxxx [mailto:issforum-bounces@xxxxxxx] On
> Of Chris Lyon
> Sent: Tuesday, September 20, 2005 11:11 AM
> To: Soldatov, Sergey V.
> Cc: issforum@xxxxxxx
> Subject: Re: [ISSForum] ARP Pisoning, etc.
> On 9/20/05, Soldatov, Sergey V. <SVSoldatov@xxxxxxxxxx> wrote:
> > 1. ARP Poisoning can be used for sniffing in switched network. As I
> > understand (please, correct me if I'm wrong) the only way for
> > sensor to detect ARP poisoning is signature IP_Duplicate, which
> > two or more computers on network using the same IP address.
> > has a lot of false positives because of clusters (server clusters,
> > router cluster with HSRP, etc) and it's no ability to tune this
> > signature with event filters, because its impossible to create
> > for event details (because different MACs of IP are specified in
> > details). Most of IP_Duplicate events in my environment are FP. Does
> > only way for me is to supply enhancements request to ISS to realize
> > ability to create filters for event details? Unfortunately, I think,
> > this can't be done soon. Does someone have ideas about ARP Poisoning
> > detection? ANY feedback will be welcome.
> Actually, arp poisoning doesn't show up as duplicate IP address.
> Remember what layer ARP is? Layer 2 which means it is all MAC based.
> Look at a program called arpwatch. It does what you want it to do.
> arp poisoning. It does false on a few things but way better then ISS
> > 2. Another question addressed to someone from ISS. There is a very
> > useful event - SensorStatistics. It can be used for behavior based
> > (statistical) analysis. I can do this by hand (for example, by
> > can store statistics in database, and analyze delta), but may be ISS
> > plan this analysis in future?? Should I supply enhancements request
> > this need too?
> > ---
> > Best regards, Sergey V. Soldatov.
> > Information security department.
> > tel/fax +7 095 745 89 50
> > tel +7 095 777 77 07 (1613)
> > _______________________________________________
> > ISSForum mailing list
> > ISSForum@xxxxxxx
> > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> > https://atla-mm1.iss.net/mailman/listinfo/issforum
> > To contact the ISSForum Moderator, send email to
> > The ISSForum mailing list is hosted and managed by Internet Security
> > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> ISSForum mailing list
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> The ISSForum mailing list is hosted and managed by Internet Security
> Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.