Experimental Preprocessors
Problem
The preprocessor arpspoof is not officially supported by Snort developers yet. How do I implement it?
How do I use the arpspoof preprocessor to detect layer 2 attacks?
Solution
The experimental arpspoof preprocessor can detect layer 2 attacks. These attacks include man-in-the-middle attacks between an important host such as a web server and core router(s). This is one of the few preprocessors that can actually have several instances running simultaneously.
This example monitors ARP cache changes for two machines on the same layer 2 segments as our sensor. As this code is still not fully supported, you cannot use it for monitoring an entire network.
preprocessor arpspoof_detect_host: 10.0.4.1 00:01:03:30:3f:c8 preprocessor arpspoof_detect_host: 10.0.4.100 00:06:29:30:16:2f
Another option is to use this preprocessor for detecting when unsolicited ARP Unicasts are sent out over your layer 2 segments.
Preprocessor arpspoof: -unicast
Discussion
This preprocessor, while experimental, has an active author and is actively patched and discussed on the snort-devel mailing list. One of the configuration issues of this preprocessor is that it can only track MAC addresses on the same layer 2 segment that the sensor is on. For example, if you are sniffing on your RAS link, this preprocessor can only be used to monitor for traffic either on that same segment or no further than the first routable hop. That is because after the packet is passed through its first hop, it no longer has its MAC address but the address of the first hop, usually the router's MAC address. For example, if you wanted to monitor layer 2 changes to a router and the next closest switch/router, that would count as the first hop away.
Another concern with this preprocessor is that to detect your MAC changes, you have to enter manually each IP and its proper MAC address you want to use. One question that has been raised by the community is how this sensor will react to high-traffic networks such as those that use Hot Switch Routing Protocol (HSRP) for a redundant network.
Another concern with the detection of Unicast ARP requests and replies is that it can generate a lot of alarms. Apparently, most Linux and Cisco systems perform active ARP table updates of their cache files to keep the most up-to-date MAC information.
See Also
Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.
Snort-devel mailing list
Writing Your Own Preprocessor
|