hello,
I'm doing some tests with arpwatch and an arpwatch log doesn't fire
any rules by default.
I perform a man in the middle attack with nemesis (nemesis arp -S
X.X.X.X -D Y.Y.Y.Y -h cc:cc:cc:cc:cc:cc), where X.X.X.X is the spoofed
IP address, Y.Y.Y.Y is my target and cc:cc:cc:cc:cc:cc is the mac
address of my "devil" machine which perform the attack. After this,
Y.Y.Y.Y target will have the couple X.X.X.X/cc:cc:cc:cc:cc:cc on his
arp cache.
When I'm doing this I have this kind of arpwatch logs:
Aug 10 03:10:59 testsrv arpwatch: ethernet mismatch X.X.X.X
cc:cc:cc:cc:cc:cc (aa:aa:aa:aa:aa:aa) eth2
(where aa:aa:aa:aa:aa:aa is the real mac address of my "evil" machine)
So, I added a rule, because I want to be aware of a MitM attack
attempt.
the rule:
<rule id="170030" level="12">
<if_sid>7200</if_sid>
<match>ethernet mismatch</match>
<description>The source mac Ethernet address didn't match the
address inside the arp packet, probably aprspoofing attempt</
description>
<group>ip_spoof,</group>
</rule>
May be some of you are interested by this log and the rule?
AB
