On 9/20/05, Soldatov, Sergey V. <[EMAIL PROTECTED]> wrote: > > 1. ARP Poisoning can be used for sniffing in switched network. As I > understand (please, correct me if I'm wrong) the only way for Network > sensor to detect ARP poisoning is signature IP_Duplicate, which detects > two or more computers on network using the same IP address. IP_Duplicate > has a lot of false positives because of clusters (server clusters, > router cluster with HSRP, etc) and it's no ability to tune this > signature with event filters, because its impossible to create filters > for event details (because different MACs of IP are specified in event > details). Most of IP_Duplicate events in my environment are FP. Does the > only way for me is to supply enhancements request to ISS to realize the > ability to create filters for event details? Unfortunately, I think, > this can't be done soon. Does someone have ideas about ARP Poisoning > detection? ANY feedback will be welcome.
Actually, arp poisoning doesn't show up as duplicate IP address. Remember what layer ARP is? Layer 2 which means it is all MAC based. Look at a program called arpwatch. It does what you want it to do. Look for arp poisoning. It does false on a few things but way better then ISS in MHO. > 2. Another question addressed to someone from ISS. There is a very > useful event - SensorStatistics. It can be used for behavior based > (statistical) analysis. I can do this by hand (for example, by SEC.pl I > can store statistics in database, and analyze delta), but may be ISS > plan this analysis in future?? Should I supply enhancements request for > this need too? > > --- > Best regards, Sergey V. Soldatov. > Information security department. > tel/fax +7 095 745 89 50 > tel +7 095 777 77 07 (1613) > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
