Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 060584.html (Request Expert snort.org Support)

Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

From: Atul Shrivastava <atul_iet(at)yahoo.com>
Date: Wed Jun 18 2003 - 02:19:05 EDT


Well .....  

First of all, MAC spoofing should be taken care of IDS only because it comes under the work profile of IDS. So we have to use too many tools for making a perfect IDS ...............  

OK, If anybody uses Arpwatch then can Arpwatch be installed on the same machine as of Snort sensor machine and can be run on the same interface as of the sensor is collecting data. Because the traffic is coming on the sensor arm and there will be no question regarding Broadcast domain because when IDS is placed in a network then placing will be done is such a way that all the traffic will pass through this sensor and also if switch is there then it is used using port mirroring to make all the traffic available to the sensor.  

In my setup the snort sensor and management console is running on the same machine. The management uses eth0 and sensor is running in promiscus mode on eth1. So my question is that can i run the Arpwatch on the eth1 interface so that whatever the Snort is scanning, ARPWATCH can also be able to get all this traffic. Now my doubt is that if i run arpwatch on the same interface as of snort sensor then which application is able to get the traffic first....??????  

Regards and have a nice day,  

Atul Shrivastava

Frank Knobbe <fknobbe@knobbeits.com> wrote: On Tue, 2003-06-17 at 04:06, Keith R Kilby wrote:
> Sorry, but I would have disagree, in my experience anybody attaching to

You are allowed to disagree :) Yes, it is a somewhat useful function ("somewhat" because someone could fake an existing MAC address. This is often done on wireless networks to evade MAC filtering). Something should be watching arps, but it is my opinion that it doesn't need to be Snort. As mentioned earlier, software for that (arpwatch) already exists.

Do you need help?X

> Not strictly true? I believe that any MAC address would be detectable if

With "broadcast domain" I was referring to the network segment. Due to high proliferation of switches, it has become uncommon to have "collision domains". Those terms should be as familiar as the 5-4-3 rule for Ethernet.

Regards,
Frank

> ATTACHMENT part 2 application/pgp-signature name=signature.asc


Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Wed Jun 18 02:33:23 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library