Hosting Provided By

Re: filtering ARP and detecting ARP spoofing

From: oudot laurent <oudot.laurent(at)wanadoo.fr>
Date: Tue Apr 15 2003 - 17:17:32 EDT

Mark a écrit:
> Hi, on lesser secure machines I completely turn off ARP on the interface

If you are interesting in IDS tool, you can also use preldue-nids from Prelude-IDS (http://www.prelude-ids.org) which has the same feature (IP associated with MAC) and others about ARP attacks (plugin called "ArpSpoof") [Attempted ARP cache overwrite attack...]

Easy to configure : /usr/local/etc/prelude-nids/prelude-nids.conf ...
[ArpSpoof]

#
# Search anomaly in ARP request.
#
# The "directed" option will result in a warn each time an ARP
# request is sent to an address other than the broadcast address.
#
# directed;
# arpwatch= ;

...

> Most of my sniffing machines I use an ethernet cable that let's the computer

Don't u have problems with full duplex networks ?

>
> Hope this helps you some.

Me too.

Do you need help?

laurent.

> -Mark

>>Hi
>>I've 2 questions:
>>
>>1- Are there any way to filter ARP packets on Linux (I've heard about
>>arptables but I wasn't able to find how can I use it)
>>
>>2-In a environmet with a dynamics IPs, how can implement a IDS to detect
>>arp spoofing? what rules could I implement for it? are any Cisco switch
>>that implement any of these features?
>>
>>Thanks at all
>>--
>>falcifer 
>>
>>
>>--------------------------------------------------------------------------

>
> ----
>

>>INTRUSION PREVENTION: READY FOR PRIME TIME?
>>
>>IntruShield now offers unprecedented Intrusion IntelligenceTM

>
> capabilities -
>

>>including intrusion identification, relevancy, direction, impact and

>
> analysis - enabling a path to prevention.
>

>>Download the latest white paper "Intrusion Prevention: Myths, Challenges,

>
> and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids

INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids Received on Tue Apr 15 17:22:07 2003

This message: [ Message body ]
Next message: Kohlenberg, Toby: "RE: False Positives with IntruVert"
In reply to Mark: "Re: filtering ARP and detecting ARP spoofing"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:11 EDT