From: Soldatov, Sergey V. (SVSoldatovtnk-bp.com)
Date: Wed Sep 21 2005 - 00:39:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

________________________________

        From: Chris Lyon [mailto:cslyongmail.com]
        Sent: Tuesday, September 20, 2005 8:11 PM
        To: Soldatov, Sergey V.
        Cc: issforumiss.net
        Subject: Re: [ISSForum] ARP Pisoning, etc.
        
        
        On 9/20/05, Soldatov, Sergey V. <SVSoldatovtnk-bp.com> wrote:

                1. ARP Poisoning can be used for sniffing in switched
network. As I
                understand (please, correct me if I'm wrong) the only
way for Network
                sensor to detect ARP poisoning is signature
IP_Duplicate, which detects
                two or more computers on network using the same IP
address. IP_Duplicate
                has a lot of false positives because of clusters (server
clusters,
                router cluster with HSRP, etc) and it's no ability to
tune this
                signature with event filters, because its impossible to
create filters
                for event details (because different MACs of IP are
specified in event
                details). Most of IP_Duplicate events in my environment
are FP. Does the
                only way for me is to supply enhancements request to ISS
to realize the
                ability to create filters for event details?
Unfortunately, I think,
                this can't be done soon. Does someone have ideas about
ARP Poisoning
                detection? ANY feedback will be welcome.

         
        Actually, arp poisoning doesn't show up as duplicate IP address.

        Remember what layer ARP is? Layer 2 which means it is all MAC
based.
        Look at a program called arpwatch. It does what you want it to
do. Look for arp poisoning. It does false on a few things but way better
then ISS in MHO.
        

        
        [svs] ARP poisoning in ISS CAN be detected as IP duplicate and
this is the only way. IP_Duplicate event detects two or more computers
which are using the same IP - sensor looks for IP-MAC accordance and
generate event if it find sequence IP-MAC2 where MAC != MAC2. Remember
ARP poisoning: bad guy generate a lot of ARP responses with its MAC and
IP of router and if victim has dynamic ARP cache (almost always its so),
soon victim's ARP cache will contain attacker's MAC and router's IP, so
all victim's traffic to another subnet (VLAN) will be forwarded to
attacker's machine as to the router. This type of attacks sometimes can
be detected by great number of ARP responses (it's can be detected by
some statistical analysis of traffic and it's what about my second
question), but not always.

        Arpwatch. Of course I know this tool, but I can't use it in my
environment, because nothing except Network sensor can listen on
interface on which ISS high performance gigabit driver is installed
(unfortunately, I use Gigabit sensor and can't access my monitoring
interface :-(( )

        Thank you for your feedback, good luck!
        

                2. Another question addressed to someone from ISS. There
is a very
                useful event - SensorStatistics. It can be used for
behavior based
                (statistical) analysis. I can do this by hand (for
example, by SEC.pl I
                can store statistics in database, and analyze delta),
but may be ISS
                plan this analysis in future?? Should I supply
enhancements request for
                this need too?
                
                ---
                Best regards, Sergey V. Soldatov.
                Information security department.
                tel/fax +7 095 745 89 50
                tel +7 095 777 77 07 (1613)
                
                
                _______________________________________________
                ISSForum mailing list
                ISSForumiss.net
                
                TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
                
                To contact the ISSForum Moderator, send email to
mod-issforumiss.net
                
                The ISSForum mailing list is hosted and managed by
Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA
30328.
                

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforumiss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]