Count ARP packets under ARP poisoning attacks
Raphael Campos Silva
raphaelcampos.rp at gmail.com
Fri Nov 15 02:58:45 EST 2013
Hello everybody,
I'm doing a Intrusion Detection System(IDS) for detect ARP Anomaly in local
network, so I get all the ARP packets that pass through the Argus and I
store it in MySQL. Everything is fine with that, but when I make some
attacks in local network, as ARP poisoning, the Argus count the answers
(based on ARP poisoning) as requests. For example:
+-------------+-------------+---------+---------+---------+---------+
| saddr | daddr | spkts | dpkts | smac | dmac |
+------------- +------------+---------+---------+---------+---------+
| 10.0.0.10 | 10.0.0.3 | 6 | 0 | A | B |
+--------------+------------+---------+---------+---------+---------+
I sent 6 fake answers (by ARP poisoning) and the Argus count that as
'counter source packets'. For the altenative solution, I just toggle the
values (spkts and dpkts) because I know, based on dmac, that dmac isn't a
Broadcast packet.
Is that a problem with Argus, or I'm missing something ?
Thanks
--
Raphael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131115/0572eee4/attachment.html>
More information about the argus
mailing list