________________________________
From: Chris Lyon [mailto:cslyon@gmail.com]
Sent: Tuesday, September 20, 2005 8:11 PM
To: Soldatov, Sergey V.
Cc: issforum@iss.net
Subject: Re: [ISSForum] ARP Pisoning, etc.
On 9/20/05, Soldatov, Sergey V. <SVSoldatov@tnk-bp.com> wrote:
1. ARP Poisoning can be used for sniffing in switched
network. As I
understand (please, correct me if I'm wrong) the only
way for Network
sensor to detect ARP poisoning is signature
IP_Duplicate, which detects
two or more computers on network using the same IP
address. IP_Duplicate
has a lot of false positives because of clusters (server
clusters,
router cluster with HSRP, etc) and it's no ability to
tune this
signature with event filters, because its impossible to
create filters
for event details (because different MACs of IP are
specified in event
details). Most of IP_Duplicate events in my environment
are FP. Does the
only way for me is to supply enhancements request to ISS
to realize the
ability to create filters for event details?
Unfortunately, I think,
this can't be done soon. Does someone have ideas about
ARP Poisoning
detection? ANY feedback will be welcome.
Actually, arp poisoning doesn't show up as duplicate IP address.
Remember what layer ARP is? Layer 2 which means it is all MAC
based.
Look at a program called arpwatch. It does what you want it to
do. Look for arp poisoning. It does false on a few things but way better
then ISS in MHO.
[svs] ARP poisoning in ISS CAN be detected as IP duplicate and
this is the only way. IP_Duplicate event detects two or more computers
which are using the same IP - sensor looks for IP-MAC accordance and
generate event if it find sequence IP-MAC2 where MAC != MAC2. Remember
ARP poisoning: bad guy generate a lot of ARP responses with its MAC and
IP of router and if victim has dynamic ARP cache (almost always its so),
soon victim's ARP cache will contain attacker's MAC and router's IP, so
all victim's traffic to another subnet (VLAN) will be forwarded to
attacker's machine as to the router. This type of attacks sometimes can
be detected by great number of ARP responses (it's can be detected by
some statistical analysis of traffic and it's what about my second
question), but not always.
Arpwatch. Of course I know this tool, but I can't use it in my
environment, because nothing except Network sensor can listen on
interface on which ISS high performance gigabit driver is installed
(unfortunately, I use Gigabit sensor and can't access my monitoring
interface :-(( )
Thank you for your feedback, good luck!
2. Another question addressed to someone from ISS. There
is a very
useful event - SensorStatistics. It can be used for
behavior based
(statistical) analysis. I can do this by hand (for
example, by SEC.pl I
can store statistics in database, and analyze delta),
but may be ISS
plan this analysis in future?? Should I supply
enhancements request for
this need too?
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to
mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by
Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA
30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
