Count ARP packets under ARP poisoning attacks

Carter Bullard carter at qosient.com
Fri Nov 15 09:02:36 EST 2013 

Hey Raphael,
What kind of packets is argus seeing to generate these flows ???

If you are tracking broadcast ARP requests with spoofed source IP packets, then
then the src IP and src mac addresses will represent the attack, and this could
be cool.

If argus is tracking unsolicited ARP replys, and the dst IP address and dst mac
address represent the attack, then there is a problem, as the dpkts counter
should be 6, not the src.  The direction indicator should be pointing toward the left
if these were ARP replys by protocol.

Are the IP address and mac address assignments correct, such that the spoofed
IP is aligned with the attackers ethernet addresss in the argus record ???

What version of argus are you using ??

Any chance you can send me a tcpdump of the ethernet packets you are sending ???

Carter


On Nov 15, 2013, at 2:58 AM, Raphael Campos Silva <raphaelcampos.rp at gmail.com> wrote:

> Hello everybody,
> 
> I'm doing a Intrusion Detection System(IDS) for detect ARP Anomaly in local network, so I get all the ARP packets that pass through the Argus and I store it in MySQL. Everything is fine with that, but when I make some attacks in local network, as ARP poisoning, the Argus count the answers (based on ARP poisoning) as requests. For example:
> 
> +-------------+-------------+---------+---------+---------+---------+
> |   saddr    |   daddr   | spkts | dpkts  | smac | dmac |
> +------------- +------------+---------+---------+---------+---------+
> | 10.0.0.10 | 10.0.0.3 |   6     |   0      |     A   |    B    |
> +--------------+------------+---------+---------+---------+---------+
> 
> I sent 6 fake answers (by ARP poisoning) and the Argus count that as 'counter source packets'. For the altenative solution, I just toggle the values (spkts and dpkts) because I know, based on dmac, that dmac isn't a Broadcast packet.
> 
> Is that a problem with Argus, or I'm missing something ?
> 
> Thanks
> 
> -- 
> Raphael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131115/d8bcc7a7/attachment.bin>

More information about the argus mailing list