let me reword this, and the OP can correct if i have hijacked his thread. i would be interested in seeing if ossec can detect masquerader-type attacks from the diffident appliances , such as a router... i think ssh would be easier cause you have the RSA keys that will change on the source, unless it is only a listener, then not so much.
this seems to be more of a application issue though... so i am not sure if ossec could detect a specific occurring instance, or even if a specific occurrence would warrant a agent based rule to be set, since it would be almost too finite and granular. can ossec do detection of promiscuous network anomalies? my guess is only if it has a "fingerprint" or checksum comparison in a log somewhere. thoughts? On Tue, Mar 1, 2011 at 1:28 PM, Francisco Neira <[email protected]> wrote: > On 03/01/2011 01:23 PM, Kelly Fitzgerald wrote: >> Masquerading is an attack done at the network layer. The masquerade >> attack is an attack where an attacker will try to access a computer >> pretending to have an authorized user identity such as a network >> administrator. >> >> On Tue, Mar 1, 2011 at 11:35 AM, dan (ddp) <[email protected]> wrote: >>> What are masquerading attacks? >>> >>> On Tue, Mar 1, 2011 at 10:44 AM, Kholidy <[email protected]> wrote: >>>> Is OSSEC discovering the Masquerading attacks? If yes how? Please, If >>>> possible send me a link to a document which explains this point. >>>> >>>> Thanks, >>>> Hesham >>>> >>> >> >> >> > > Perhaps this could help us. > http://cseweb.ucsd.edu/classes/sp07/cse291-d/presentations/gupta2.pdf > > -- > Francisco Neira Basso, ISO 27002 > Seguridad de la Informacion > ISACA No.565432, IEEE No.90934498 > Usuario Linux # 165985 > Defensoria del Pueblo > > -- Gallia est omnes divisa in partes tres. LIT(All Gaul is divided into three parts) Divide a problem into parts, understand each on its own terms, and plan your campaign Julius Caesar . GoogleVoice (614) 489-9522
