Count ARP packets under ARP poisoning attacks

[Carter Bullard]

Hey Raphael,
I have found a bug in ARP flow generation that I’ve corrected
in argus-3.0.7.5.  Seems to be very recent bug, and something
that is easy to correct in the clients, so all the data is
still good.  Any chance I can get some packets that represent
your ARP poisoning attack so I can make sure that the fix
fixes the problem you reported ????

Hope all is most excellent,

Carter

On Nov 15, 2013, at 2:58 AM, Raphael Campos Silva <raphaelcampos.rp at gmail.com> wrote:

> Hello everybody,
> 
> I'm doing a Intrusion Detection System(IDS) for detect ARP Anomaly in local network, so I get all the ARP packets that pass through the Argus and I store it in MySQL. Everything is fine with that, but when I make some attacks in local network, as ARP poisoning, the Argus count the answers (based on ARP poisoning) as requests. For example:
> 
> +-------------+-------------+---------+---------+---------+---------+
> |   saddr    |   daddr   | spkts | dpkts  | smac | dmac |
> +------------- +------------+---------+---------+---------+---------+
> | 10.0.0.10 | 10.0.0.3 |   6     |   0      |     A   |    B    |
> +--------------+------------+---------+---------+---------+---------+
> 
> I sent 6 fake answers (by ARP poisoning) and the Argus count that as 'counter source packets'. For the altenative solution, I just toggle the values (spkts and dpkts) because I know, based on dmac, that dmac isn't a Broadcast packet.
> 
> Is that a problem with Argus, or I'm missing something ?
> 
> Thanks
> 
> -- 
> Raphael


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131118/0f7f8ee6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6837 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20131118/0f7f8ee6/attachment.bin>