Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] ARP Pisoning, etc.

from [Chris Lyon] Network Security [Permanent Link]
Subject: Re: [ISSForum] ARP Pisoning, etc.
Date: Tue, 20 Sep 2005 09:10:42 -0700 
On 9/20/05, Soldatov, Sergey V. <SVSoldatov@tnk-bp.com> wrote: 


1. ARP Poisoning can be used for sniffing in switched network. As I
understand (please, correct me if I'm wrong) the only way for Network
sensor to detect ARP poisoning is signature IP_Duplicate, which detects
two or more computers on network using the same IP address. IP_Duplicate
has a lot of false positives because of clusters (server clusters,
router cluster with HSRP, etc) and it's no ability to tune this
signature with event filters, because its impossible to create filters
for event details (because different MACs of IP are specified in event
details). Most of IP_Duplicate events in my environment are FP. Does the
only way for me is to supply enhancements request to ISS to realize the
ability to create filters for event details? Unfortunately, I think,
this can't be done soon. Does someone have ideas about ARP Poisoning
detection? ANY feedback will be welcome.


 Actually, arp poisoning doesn't show up as duplicate IP address. 
Remember what layer ARP is? Layer 2 which means it is all MAC based. 
Look at a program called arpwatch. It does what you want it to do. Look for 
arp poisoning. It does false on a few things but way better then ISS in MHO. 

 

2. Another question addressed to someone from ISS. There is a very
useful event - SensorStatistics. It can be used for behavior based
(statistical) analysis. I can do this by hand (for example, by SEC.pl I
can store statistics in database, and analyze delta), but may be ISS
plan this analysis in future?? Should I supply enhancements request for
this need too?

---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security 
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISSForum] ISS Scanner 6.2.1 and XP, Schlesselman, Clark Gary
Next by Date:  Re: [ISSForum] ARP Pisoning, etc., Soldatov, Sergey V.
Previous by Thread:  [ISSForum] ARP Pisoning, etc., Soldatov, Sergey V.
Next by Thread:  Re: [ISSForum] ARP Pisoning, etc., Soldatov, Sergey V.
Indexes:  [Date] [Thread] [Top] [All Lists]