TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

That still doesn't answer the question. Most of us know what MAC addresses
are -- the problem is that the signature is not clear.

(1) How does RS determine that this event has occurred?
(2) Which MAC address corresponds to what? Are these just the MAC addresses
of the two machines both reporting the same address?

We get this on small controlled networks too, which makes me think that the
signature itself is faulty.

-----Original Message-----
From: "Means, David (ISS Atlanta)" <DMeansiss.net>
Sent: Monday, June 24, 2002 10:22 AM
To: issforumiss.net
Cc:
Subject: RE: Duplicate IP event - how does it use ARP and what do the
fiel ds mean (exactly)? (Sent by owner-issforumiss.net on behalf of
"Means, David (ISS Atlanta)" <DMeansiss.net> )

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

MAC1 and MAC2 are the Media Access Control address of the NIC associated
with the IP addresses in question (
http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?Media+Access+Control )

If at all possible, I'd like to have a capture of your traffic and copy
your
policy file.

David

-----Original Message-----
From: Jason Renard [mailto:techsupbitmap.c-o-m]
Sent: Saturday, June 22, 2002 1:02 PM
To: issforumiss.net
Subject: Duplicate IP event - how does it use ARP and what do the fields
mean (exactly)?

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

Hi,

I'm still having problems with duplicate IP address alerts and would value
any ideas.

I'm running a small static test system and I'm not doing anything fancy
with
routers etc.

I've even left an arp trace running and inspected the packets at and around
the time of the
RealSecure alerts, but all the arp packets (requests and responses) all
look
fine - normal broadcast
requests and unicast responses from the correct MAC addresses.

If I can't figure out how to analyze duplicate IP address alerts in a
simple
environment like this,
especially when I've got a corresponding arp trace, then I'm going to have
problems in the wild.

Please could somebody explain how RealSecure determines duplicate IP
address
events, or at least the
meaning of the MAC1/MAC2 fields in the Event Details window?

Thanks,
Jason

On Fri, 14 Jun 2002 16:50:49 +0100, Jason Renard <techsupbitmap.c-o-m>
wrote:

>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
>majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
>
---------------------------------------------------------------------------
-
>
>Hi,
>
>I have the following in a small test environment (all v65):
>
>System [S2] with IP address [I2] MAC address [E2] - it's a Network Sensor
>System [S3] with IP address [I3] MAC address [E3] - it's an Event
Collector
>System [S5] with IP address [I5] MAC address [E5] - it's a console
>
>Occasionally I see a Duplicate IP address event (there was one last night
at 00:35), for example:
>
>Duplicate IP address (Suspicious arp)
>
>SourceIPaddress: I2
>DestIPaddress: I3
>SourceEthernetAddress: E2
>SourceEthernetAddress: E3
>MAC1: E5
>MAC2: E2
>
>The online help says "RealSecure Network Sensor detects the duplicate IP
address by monitoring ARP
>packets and comparing the MAC address and IP addresses found in each
packet. When it detects two
>packets with the same IP address address, but different MAC addresses it
creates this IPDuplicate
>event"
>
>Please could somebody help with the following?
>
>1) Does RealSecure only use ARP packets or will it examine normal IP
packets as well? The latter
>would be more of an overhead, however it could catch more instances of
duplicate IP addresses.
>
>2) If RealSecure only uses ARP packets, does it use the DLC
source/destination from those packets or
>does it use the payload Sender/Target fields?
>
>3) Does RealSecure apply this processing to both SOURCE and DESTINATION
addresses?
>
>4) Most importantly, WHAT DO THOSE FIELDS MEAN? I presume the first four
fields relate to the packet
>which tripped the event, and I'm assuming it was probably an ARP reply. So
what do the fields MAC1
>and MAC2 mean?
>
>5) ANY other info on this topic would be appreciated so that I can try to
put these events into
>context.
>
>Thanks,
>Jason
>
>Jason Renard
>
>Warning - all views expressed are my own.
>I cannot guarantee the accuracy of everything
>I've said - use it at your own risk.
>
>

Jason Renard

Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]