If you have a cisco environment, use port security and map one mac to an
IP. If arp poisoning occurs you can have the port shut down
automatically
Scott Johnson
CISSP, GSEC
ERCOT Cyber Security
(512) 248-3152
-----Original Message-----
From: issforum-bounces@iss.net [mailto:issforum-bounces@iss.net] On
Behalf
Of Chris Lyon
Sent: Tuesday, September 20, 2005 11:11 AM
To: Soldatov, Sergey V.
Cc: issforum@iss.net
Subject: Re: [ISSForum] ARP Pisoning, etc.
On 9/20/05, Soldatov, Sergey V. <SVSoldatov@tnk-bp.com> wrote:
1. ARP Poisoning can be used for sniffing in switched network. As I
understand (please, correct me if I'm wrong) the only way for
Network
sensor to detect ARP poisoning is signature IP_Duplicate, which
detects
two or more computers on network using the same IP address.
IP_Duplicate
has a lot of false positives because of clusters (server clusters,
router cluster with HSRP, etc) and it's no ability to tune this
signature with event filters, because its impossible to create
filters
for event details (because different MACs of IP are specified in
event
details). Most of IP_Duplicate events in my environment are FP. Does
the
only way for me is to supply enhancements request to ISS to realize
the
ability to create filters for event details? Unfortunately, I think,
this can't be done soon. Does someone have ideas about ARP Poisoning
detection? ANY feedback will be welcome.
Actually, arp poisoning doesn't show up as duplicate IP address.
Remember what layer ARP is? Layer 2 which means it is all MAC based.
Look at a program called arpwatch. It does what you want it to do.
Look
for
arp poisoning. It does false on a few things but way better then ISS
in
MHO.
2. Another question addressed to someone from ISS. There is a very
useful event - SensorStatistics. It can be used for behavior based
(statistical) analysis. I can do this by hand (for example, by
SEC.pl I
can store statistics in database, and analyze delta), but may be ISS
plan this analysis in future?? Should I supply enhancements request
for
this need too?
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to
mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-
mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
