138
Chapter 4 Plugins, Preprocessors and Output Modules
4.1.6
ARP Spoofing
Address Resolution Protocol (ARP) is used to find a MAC address when an IP
address is known. ARP is needed when a host wants to send an IP packet to another
host on the local network. The sending host broadcasts an ARP packet on the network
asking, Who has this IP address? The host who has that IP address will respond with
its MAC address. After that, the sending host will send the data packet (usually called a
frame at the link layer level) to the destination host.
The ARP protocol is used by many people for various attacks, sniffing and spoof
ing. For example, see the dsniff package at http://www.monkey.org/~dugsong/dsniff/
which exploits the ARP. By spoofing, someone can redirect network traffic for a host to
some other location.
The arpspoof preprocessor detects anomalies in ARP packets. Specifically it does
the following:
For all ARP requests, if source MAC address and sender's MAC address are
different, an alert is generated. If the source MAC address in the packet does
not match the MAC address associated with source IP address, then an alert is
generated. For details on ARP packet header, refer to Appendix C.
For ARP replies, source MAC address is compared to sender's MAC address.
Similarly, destination MAC address is compared to receiver's MAC address.
An alert is generated if these entries mismatch.
For unicast ARP requests, if destination MAC address is not the broadcast
address (FF:FF:FF:FF:FF:FF), an alert is generated. To check this anomaly,
you need to place a line in snort.conf file as preprocessor
arpspoof: unicast .
You can pre populate MAC Address/IP Address pairs in Snort internal cache.
The preprocessor will compare these pre populated entries with information in
the received ARP packets. In case of mismatch, an alert will be generated. For
example, if the MAC address for a particular IP address in ARP replies does not
match the pre populated pair, an alert is generated.
The following entry in the Snort configuration file (snort.conf) will configure
this preprocessor and will detect unicast anomalies:
preprocessor arpspoof: unicast
The following line adds an IP address and MAC address pair which can be used
later on to detect ARP spoofing attempts.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved