Snort really is the way to go, don't understand why you'd have a tough time understanding it. It's pretty straightforward in the way it works, and they have good forums for help as well as fairly decent documentation.Originally Posted by vityav
MITM Detection
Hello all,
I'm looking for opinions and advice on programs to use primarily for MITM detection. I'm running Fedora 11 and looking for a good all-around network intrustion detection system (MITM, port scanning, spoofing, etc) with a decent integrated notification system (pop up messages instead of having to periodically check a log, if possible). I'm looking into snort at the time of writing this but am making slow progress wrapping my head around it, so any advice is appreciated.
Thanks
Snort really is the way to go, don't understand why you'd have a tough time understanding it. It's pretty straightforward in the way it works, and they have good forums for help as well as fairly decent documentation.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
What kind of MITM attacks are you referring to? If you are talking about ettercap, cain & abel etc, these utilize arp poisoning, which is a layer 2 attack, that snort, by default cannot detect unless some creative modifications are made.
Snort, simply put, is a heuristic network detection engine that looks at TCP/IP packets (layer 3) individually and in a sequence to find attack/enumeration vectors.
"Sure is for people with nothing on the line.....you and me? We just get on with it."
-Garabaldi
I am referring to arp poisoning. I suppose what I'm going for as far as MITM is the ability to recognize things such as the gateway address changing without the connection changing (assuming you catch it being initialized). It doesn't seem like it would be that hard to detect (just periodically checking the arp table), but at the same time I never found anything specific for it in the default snort rules.
Would you recommend anything else that would detect layer 2 attacks/suspicious changes on a network?
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
Arpwatch works quite well, thank you.
For anyone who asks, there is a burden and a boon with arpwatch.
It's really easy to start and run:But if you're smart (enough) to know where the arpwatch server is (most people only run a single interface for arpwatch rather than a proper segregated network):Code:# crontab -l @reboot /usr/sbin/arpwatch -i eth0 -e gitsnik@notmyemail.localAnd you've completely anulled the setup.Code:pseudo: iptables -A FORWARD -p tcp --dport 25 -j DROP arpspoof /mailserver/ /arpwatchserver/ (or) arpspoof /arpwatchserver/ /gatewaytoexternalserver/
Snort is definitely the way to go, with proper sensors setup and a separate network. arpwatch is good for smallish installations though.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
You're right. I wasn't thinking too much about the ARP stuff when I wrote that. More focusing on that I don't think Snort is really that difficult to get setup and running and understanding how it works. Spent too much time fighting with an exchange server yesterday.
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
I've gotten snort up with BASE, and arpwatch running separately. That said, this is mostly just for a small home network that nobody should be able to access, but also for public networks should I ever need to do anything secure on them. My workplace offers free public wifi, and I know that our IT has no system in place to prevent MITM attacks so my own defense needs to be self contained in my laptop.
Snort actually can be used to detect arp poisionings, if they are directed at your entire network. You can do this using the arpspoof preprocessor in snort.conf:
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
Basically, if you know which IPs on your network are reserved, you can use their known IP to MAC combinations to detect change, which could be indicative of poisioning. Now if either a host that is not on your list is targeted or one that is on a DHCP lease, then this method will fail.
Don't get me started on this...MITM is the least of your problems in a completely open wifi infrastructure.
"Sure is for people with nothing on the line.....you and me? We just get on with it."
-Garabaldi
Posting Permissions