Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-16-2006, 08:22 AM
|
#1
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep: 
|
Snort and cable modem setup
OK, I'm trying to setup snort IDS on my network. I installed a second NIC in my PC and a hub between cable modem and router. So first NIC is on internal/private 192.168.x.x and second is on Comcast's external/public network. Second interface I bring up with no IP and then start snort. So far so good, I'm a sniffing fool at this point.
Problem now is I'm apparently sniffing the whole neighborhood and my cable modem uses DHCP. I'd like to filter just packets hitting my house, but the modem's IP might change at any time. How the !@#$ should I set this up? Any advice appreciated.
Code:
cable modem ---- hub ---- router & ---- switch ---- PC2
| firewall | ---- PC3
PC1 ---eth1--- | ---- PC4
| |
---------------eth0-------------------
|
|
|
|
|
02-16-2006, 08:57 AM
|
#2
|
|
Member
Registered: Apr 2002
Posts: 498
Rep:
|
Quote:
|
Originally Posted by Crito
Problem now is I'm apparently sniffing the whole neighborhood and my cable modem uses DHCP. I'd like to filter just packets hitting my house, but the modem's IP might change at any time. How the !@#$ should I set this up? Any advice appreciated.
|
Are you just trying to ignore the DHCP messages? If so, you can simply turn off that alert. What's your HOME_NET set to? |
|
|
|
|
02-16-2006, 09:44 AM
|
#3
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Original Poster
Rep:
|
Right now everything is set to defaults (I'm a snort newbie,) so HOME_NET would be "any" and I'm only sniffing on the one NIC (eth1.) I'm not too concerened about internal attacks, as I'm the only person using my LAN at the moment and I have no public servers/services (and that's why there's no DMZ too.) What I'm concerened about are external attacks against the cable modem, router or firewall devices themselves. My router uses NAT/PAT so from the hub side I can't see the private/internal addresses anyway.
Anyway, I guess my question(s) is/are:
1) Is there a way to set a var like HOME_NET to filter on MAC address of the cable modem instead of IP, which changes because ISP uses DHCP.
2) If #1 above sounds stupid (and being a snort newbie that's entirely possible) what's the right/best way to implement snort with cable modem that uses DHCP?
Perhaps I'm still confused on the proper setup. I did read the snort FAQ, which is where I got the idea for the hub between modem and router (they said could be used instead of a passive ethernet tap.)
|
|
|
|
|
02-17-2006, 06:37 AM
|
#4
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Original Poster
Rep:
|
Geez, don't everyone speak up at once. LOL.. All I was really looking for are some other/alternate diagrams of how peeps have hooked up an NIDS to their cable modem LANs.
Let me elaborate further. The nature of my cable modem service allows me to see broadcast traffic from others on the segment. When I start the sniffer I get bombarded with ARP traffic, burying the packets I want to see. For example, I just captured this:
Code:
02/17-07:21:02.947018 ARP who-has 68.34.194.50 tell 68.34.192.1
02/17-07:21:02.947279 ARP who-has 68.34.194.52 tell 68.34.192.1
02/17-07:21:02.947505 ARP who-has 68.34.194.49 tell 68.34.192.1
02/17-07:21:02.949095 206.37.232.91:30889 -> 68.34.XXX.XXX:1026
UDP TTL:116 TOS:0x0 ID:16606 IpLen:20 DgmLen:908
Len: 880
04 00 28 00 10 00 00 00 00 00 00 00 00 00 00 00 ..(.............
00 00 00 00 00 00 00 00 F8 91 7B 5A 00 FF D0 11 ..........{Z....
A9 B2 00 C0 4F B6 E6 FC F4 24 96 5D 15 AE 33 12 ....O....$.]..3.
5E 2E EC 1C BB 3C F7 BE 00 00 00 00 01 00 00 00 ^....<..........
00 00 00 00 00 00 FF FF FF FF 20 03 00 00 00 00 .......... .....
11 00 00 00 00 00 00 00 11 00 00 00 53 45 43 55 ............SECU
52 49 54 59 20 4D 4F 4E 49 54 4F 52 00 00 00 00 RITY MONITOR....
11 00 00 00 00 00 00 00 11 00 00 00 57 49 4E 44 ............WIND
4F 57 53 20 55 53 45 52 00 00 00 00 00 00 00 00 OWS USER........
D4 02 00 00 00 00 00 00 D4 02 00 00 49 6D 70 6F ............Impo
72 74 61 6E 74 20 57 69 6E 64 6F 77 73 20 53 65 rtant Windows Se
63 75 72 69 74 79 20 42 75 6C 6C 65 74 69 6E 0D curity Bulletin.
0A 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D 3D .===============
3D 3D 3D 3D 3D 3D 3D 0D 0A 42 75 66 66 65 72 20 =======..Buffer
4F 76 65 72 72 75 6E 20 69 6E 20 4D 65 73 73 65 Overrun in Messe
6E 67 65 72 20 53 65 72 76 69 63 65 20 41 6C 6C nger Service All
6F 77 73 20 52 65 6D 6F 74 65 20 43 6F 64 65 20 ows Remote Code
45 78 65 63 75 74 69 6F 6E 2C 0D 0A 56 69 72 75 Execution,..Viru
73 20 49 6E 66 65 63 74 69 6F 6E 20 61 6E 64 20 s Infection and
55 6E 65 78 70 65 63 74 65 64 20 43 6F 6D 70 75 Unexpected Compu
74 65 72 20 53 68 75 74 64 6F 77 6E 73 0D 0A 0D ter Shutdowns...
0A 41 66 66 65 63 74 65 64 20 53 6F 66 74 77 61 .Affected Softwa
72 65 3A 20 0D 0A 0D 0A 4D 69 63 72 6F 73 6F 66 re: ....Microsof
74 20 57 69 6E 64 6F 77 73 20 4E 54 20 57 6F 72 t Windows NT Wor
6B 73 74 61 74 69 6F 6E 20 0D 0A 4D 69 63 72 6F kstation ..Micro
73 6F 66 74 20 57 69 6E 64 6F 77 73 20 4E 54 20 soft Windows NT
53 65 72 76 65 72 20 34 2E 30 20 0D 0A 4D 69 63 Server 4.0 ..Mic
72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 32 rosoft Windows 2
30 30 30 20 20 20 0D 0A 4D 69 63 72 6F 73 6F 66 000 ..Microsof
74 20 57 69 6E 64 6F 77 73 20 58 50 20 20 0D 0A t Windows XP ..
4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 Microsoft Window
73 20 57 69 6E 39 38 20 20 20 0D 0A 4D 69 63 72 s Win98 ..Micr
6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 53 65 osoft Windows Se
72 76 65 72 20 32 30 30 33 0D 0A 0D 0A 4E 6F 6E rver 2003....Non
20 41 66 66 65 63 74 65 64 20 53 6F 66 74 77 61 Affected Softwa
72 65 3A 20 0D 0A 0D 0A 4D 69 63 72 6F 73 6F 66 re: ....Microsof
74 20 57 69 6E 64 6F 77 73 20 4D 69 6C 6C 65 6E t Windows Millen
6E 69 75 6D 20 45 64 69 74 69 6F 6E 0D 0A 0D 0A nium Edition....
59 6F 75 72 20 73 79 73 74 65 6D 20 69 73 20 61 Your system is a
66 66 65 63 74 65 64 2C 20 64 6F 77 6E 6C 6F 61 ffected, downloa
64 20 74 68 65 20 70 61 74 63 68 20 66 72 6F 6D d the patch from
20 74 68 65 20 61 64 64 72 65 73 73 20 62 65 6C the address bel
6F 77 20 21 20 0D 0A 46 49 52 53 54 20 54 59 50 ow ! ..FIRST TYP
45 20 54 48 45 20 41 44 44 52 45 53 53 20 42 45 E THE ADDRESS BE
4C 4F 57 20 49 4E 54 4F 20 59 4F 55 52 20 49 4E LOW INTO YOUR IN
54 45 52 4E 45 54 20 42 52 4F 57 53 45 52 2C 20 TERNET BROWSER,
54 48 45 4E 20 43 4C 49 43 4B 20 27 4F 4B 27 2E THEN CLICK 'OK'.
0D 0A 54 48 45 20 41 44 44 52 45 53 53 20 57 49 ..THE ADDRESS WI
4C 4C 20 44 49 53 41 50 50 45 41 52 20 4F 4E 43 LL DISAPPEAR ONC
45 20 59 4F 55 20 43 4C 49 43 4B 20 27 4F 4B 27 E YOU CLICK 'OK'
2E 0D 0A 0D 0A 20 20 20 20 20 20 20 20 20 20 20 .....
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
20 20 20 20 20 20 20 20 20 77 77 77 2E 70 61 74 www.pat
63 68 75 70 64 61 74 65 2E 69 6E 66 6F 0D 0A 00 chupdate.info...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
02/17-07:21:02.949199 ARP who-has 68.34.194.44 tell 68.34.192.1
02/17-07:21:02.949454 ARP who-has 68.34.194.43 tell 68.34.192.1
02/17-07:21:02.952327 ARP who-has 68.34.194.33 tell 68.34.192.1
02/17-07:21:02.953539 ARP who-has 68.34.194.28 tell 68.34.192.1
02/17-07:21:02.959462 ARP who-has 68.34.194.100 tell 68.34.192.1
02/17-07:21:02.959907 ARP who-has 68.34.194.102 tell 68.34.192.1
02/17-07:21:02.960157 ARP who-has 68.34.194.98 tell 68.34.192.1
02/17-07:21:02.960382 ARP who-has 68.34.194.97 tell 68.34.192.1
02/17-07:21:02.960979 ARP who-has 68.34.194.94 tell 68.34.192.1
02/17-07:21:02.961858 ARP who-has 68.34.194.90 tell 68.34.192.1
02/17-07:21:02.963450 ARP who-has 68.34.194.84 tell 68.34.192.1
02/17-07:21:02.964773 ARP who-has 68.34.194.80 tell 68.34.192.1
02/17-07:21:02.965030 ARP who-has 68.34.194.79 tell 68.34.192.1
02/17-07:21:02.966473 ARP who-has 68.34.194.77 tell 68.34.192.1
02/17-07:21:02.980894 ARP who-has 68.34.193.243 tell 68.34.192.1
02/17-07:21:03.025525 ARP who-has 68.34.194.63 tell 68.34.192.1
02/17-07:21:03.025804 ARP who-has 68.34.194.60 tell 68.34.192.1
02/17-07:21:03.027078 ARP who-has 68.34.194.105 tell 68.34.192.1
02/17-07:21:03.027343 ARP who-has 68.34.194.150 tell 68.34.192.1
02/17-07:21:03.027573 ARP who-has 68.34.194.139 tell 68.34.192.1
02/17-07:21:03.028616 ARP who-has 68.34.194.128 tell 68.34.192.1
02/17-07:21:03.028857 ARP who-has 68.34.194.126 tell 68.34.192.1
02/17-07:21:03.029365 ARP who-has 68.34.194.121 tell 68.34.192.1
02/17-07:21:03.029787 ARP who-has 68.34.194.127 tell 68.34.192.1
02/17-07:21:03.030249 ARP who-has 68.34.194.119 tell 68.34.192.1
02/17-07:21:03.030489 ARP who-has 68.34.194.124 tell 68.34.192.1
02/17-07:21:03.030948 ARP who-has 68.34.194.114 tell 68.34.192.1
02/17-07:21:03.031468 ARP who-has 68.34.194.122 tell 68.34.192.1
02/17-07:21:03.031721 ARP who-has 68.34.194.112 tell 68.34.192.1
02/17-07:21:03.031958 ARP who-has 68.34.194.111 tell 68.34.192.1
02/17-07:21:03.032177 ARP who-has 68.34.194.22 tell 68.34.192.1
02/17-07:21:03.032398 ARP who-has 68.34.193.240 tell 68.34.192.1
02/17-07:21:03.032618 ARP who-has 68.34.193.239 tell 68.34.192.1
02/17-07:21:03.032826 ARP who-has 68.34.193.238 tell 68.34.192.1
02/17-07:21:03.033188 ARP who-has 68.34.193.237 tell 68.34.192.1
02/17-07:21:03.033457 ARP who-has 68.34.194.59 tell 68.34.192.1
02/17-07:21:03.033693 ARP who-has 68.34.193.242 tell 68.34.192.1
02/17-07:21:03.033915 ARP who-has 68.34.193.241 tell 68.34.192.1
02/17-07:21:03.034121 ARP who-has 68.34.193.233 tell 68.34.192.1
02/17-07:21:03.034332 ARP who-has 68.34.193.236 tell 68.34.192.1
02/17-07:21:03.035464 ARP who-has 68.34.193.231 tell 68.34.192.1
02/17-07:21:03.036108 ARP who-has 68.34.193.230 tell 68.34.192.1
02/17-07:21:03.036378 ARP who-has 68.34.193.229 tell 68.34.192.1
02/17-07:21:03.036603 ARP who-has 68.34.193.226 tell 68.34.192.1
02/17-07:21:03.036809 ARP who-has 68.34.193.232 tell 68.34.192.1
02/17-07:21:03.037026 ARP who-has 68.34.193.228 tell 68.34.192.1
02/17-07:21:03.037243 ARP who-has 68.34.194.158 tell 68.34.192.1
02/17-07:21:03.037456 ARP who-has 68.34.194.155 tell 68.34.192.1
02/17-07:21:03.037662 ARP who-has 68.34.194.161 tell 68.34.192.1
02/17-07:21:03.037877 ARP who-has 68.34.194.162 tell 68.34.192.1
02/17-07:21:03.058254 ARP who-has 68.34.194.206 tell 68.34.192.1
02/17-07:21:03.058555 ARP who-has 68.34.194.196 tell 68.34.192.1
02/17-07:21:03.058794 ARP who-has 68.34.194.189 tell 68.34.192.1
02/17-07:21:03.059014 ARP who-has 68.34.194.183 tell 68.34.192.1
02/17-07:21:03.059253 ARP who-has 68.34.194.180 tell 68.34.192.1
02/17-07:21:03.059575 ARP who-has 68.34.194.188 tell 68.34.192.1
02/17-07:21:03.059813 ARP who-has 68.34.194.185 tell 68.34.192.1
02/17-07:21:03.060037 ARP who-has 68.34.194.171 tell 68.34.192.1
02/17-07:21:03.060250 ARP who-has 68.34.194.166 tell 68.34.192.1
02/17-07:21:03.060468 ARP who-has 68.34.194.216 tell 68.34.192.1
02/17-07:21:03.060687 ARP who-has 68.34.194.223 tell 68.34.192.1
02/17-07:21:03.061201 ARP who-has 68.34.194.214 tell 68.34.192.1
02/17-07:21:03.061455 ARP who-has 68.34.194.226 tell 68.34.192.1
02/17-07:21:03.061689 ARP who-has 68.34.194.224 tell 68.34.192.1
02/17-07:21:03.061898 ARP who-has 68.34.194.234 tell 68.34.192.1
02/17-07:21:03.062118 ARP who-has 68.34.194.236 tell 68.34.192.1
02/17-07:21:03.062341 ARP who-has 68.34.194.228 tell 68.34.192.1
02/17-07:21:03.062567 ARP who-has 68.34.194.229 tell 68.34.192.1
02/17-07:21:03.063549 ARP who-has 68.34.193.25 tell 68.34.192.1
02/17-07:21:03.063802 ARP who-has 68.34.193.24 tell 68.34.192.1
02/17-07:21:03.064037 ARP who-has 68.34.193.23 tell 68.34.192.1
02/17-07:21:03.064256 ARP who-has 68.34.193.21 tell 68.34.192.1
02/17-07:21:03.064460 ARP who-has 68.34.193.11 tell 68.34.192.1
02/17-07:21:03.064667 ARP who-has 68.34.193.18 tell 68.34.192.1
02/17-07:21:03.064879 ARP who-has 68.34.193.9 tell 68.34.192.1
02/17-07:21:03.065090 ARP who-has 68.34.193.1 tell 68.34.192.1
02/17-07:21:03.065297 ARP who-has 68.34.193.0 tell 68.34.192.1
02/17-07:21:03.065518 ARP who-has 68.34.192.252 tell 68.34.192.1
02/17-07:21:03.065733 ARP who-has 68.34.192.249 tell 68.34.192.1
02/17-07:21:03.065955 ARP who-has 68.34.192.245 tell 68.34.192.1
02/17-07:21:03.066166 ARP who-has 68.34.192.241 tell 68.34.192.1
02/17-07:21:03.066392 ARP who-has 68.34.192.238 tell 68.34.192.1
02/17-07:21:03.066604 ARP who-has 68.34.192.244 tell 68.34.192.1
02/17-07:21:03.066827 ARP who-has 68.34.192.240 tell 68.34.192.1
02/17-07:21:03.067048 ARP who-has 68.34.192.225 tell 68.34.192.1
02/17-07:21:03.067270 ARP who-has 68.34.192.223 tell 68.34.192.1
02/17-07:21:03.067484 ARP who-has 68.34.192.226 tell 68.34.192.1
02/17-07:21:03.067705 ARP who-has 68.34.195.11 tell 68.34.192.1
02/17-07:21:03.067920 ARP who-has 68.34.195.10 tell 68.34.192.1
02/17-07:21:03.068129 ARP who-has 68.34.195.4 tell 68.34.192.1
02/17-07:21:03.068340 ARP who-has 68.34.194.249 tell 68.34.192.1
02/17-07:21:03.068547 ARP who-has 68.34.194.246 tell 68.34.192.1
02/17-07:21:03.068691 ARP who-has 68.34.192.215 tell 68.34.192.1
02/17-07:21:03.068832 ARP who-has 68.34.192.209 tell 68.34.192.1
02/17-07:21:03.069121 ARP who-has 68.34.192.208 tell 68.34.192.1
02/17-07:21:03.069263 ARP who-has 68.34.192.173 tell 68.34.192.1
02/17-07:21:03.086009 ARP who-has 68.34.195.12 tell 68.34.192.1
02/17-07:21:03.107099 ARP who-has 68.34.195.60 tell 68.34.192.1
02/17-07:21:03.110016 ARP who-has 68.34.195.195 tell 68.34.192.1
02/17-07:21:03.169793 ARP who-has 68.34.195.219 tell 68.34.192.1
02/17-07:21:03.173888 ARP who-has 68.34.195.223 tell 68.34.192.1
02/17-07:21:03.174535 ARP who-has 68.34.195.194 tell 68.34.192.1
02/17-07:21:03.175641 ARP who-has 68.34.195.189 tell 68.34.192.1
02/17-07:21:03.176595 ARP who-has 68.34.195.178 tell 68.34.192.1
02/17-07:21:03.176851 ARP who-has 68.34.195.187 tell 68.34.192.1
02/17-07:21:03.177083 ARP who-has 68.34.195.186 tell 68.34.192.1
02/17-07:21:03.178005 ARP who-has 68.34.195.176 tell 68.34.192.1
02/17-07:21:03.178257 ARP who-has 68.34.195.174 tell 68.34.192.1
02/17-07:21:03.179479 ARP who-has 68.34.195.160 tell 68.34.192.1
02/17-07:21:03.180219 ARP who-has 68.34.195.167 tell 68.34.192.1
02/17-07:21:03.180479 ARP who-has 68.34.195.154 tell 68.34.192.1
02/17-07:21:03.181800 ARP who-has 68.34.195.157 tell 68.34.192.1
02/17-07:21:03.185171 ARP who-has 68.34.195.246 tell 68.34.192.1
02/17-07:21:03.185884 ARP who-has 68.34.195.249 tell 68.34.192.1
02/17-07:21:03.186914 ARP who-has 68.34.195.140 tell 68.34.192.1
02/17-07:21:03.187784 ARP who-has 68.34.195.235 tell 68.34.192.1
02/17-07:21:03.188048 ARP who-has 68.34.195.231 tell 68.34.192.1
02/17-07:21:03.189900 ARP who-has 68.34.195.114 tell 68.34.192.1
02/17-07:21:03.190142 ARP who-has 68.34.192.120 tell 68.34.192.1
02/17-07:21:03.208604 ARP who-has 68.34.192.82 tell 68.34.192.1
02/17-07:21:03.212485 ARP who-has 68.34.195.254 tell 68.34.192.1
02/17-07:21:03.212793 ARP who-has 68.34.195.253 tell 68.34.192.1
02/17-07:21:03.213780 ARP who-has 68.34.195.33 tell 68.34.192.1
02/17-07:21:03.214055 ARP who-has 68.34.195.71 tell 68.34.192.1
02/17-07:21:03.214300 ARP who-has 68.34.195.26 tell 68.34.192.1
02/17-07:21:03.214513 ARP who-has 68.34.195.19 tell 68.34.192.1
02/17-07:21:03.214727 ARP who-has 68.34.195.17 tell 68.34.192.1
02/17-07:21:03.216796 ARP who-has 68.34.195.14 tell 68.34.192.1
02/17-07:21:03.217074 ARP who-has 68.34.195.211 tell 68.34.192.1
02/17-07:21:03.217306 ARP who-has 68.34.195.210 tell 68.34.192.1
02/17-07:21:03.218059 ARP who-has 68.34.195.200 tell 68.34.192.1
02/17-07:21:03.218313 ARP who-has 68.34.195.205 tell 68.34.192.1
02/17-07:21:03.218822 ARP who-has 68.34.192.126 tell 68.34.192.1
02/17-07:21:03.310851 ARP who-has 68.34.193.96 tell 68.34.192.1
02/17-07:21:03.311154 ARP who-has 68.34.193.75 tell 68.34.192.1
02/17-07:21:03.380078 ARP who-has 68.34.195.146 tell 68.34.192.1
02/17-07:21:03.380333 ARP who-has 68.34.195.152 tell 68.34.192.1
02/17-07:21:03.382861 ARP who-has 68.34.195.138 tell 68.34.192.1
02/17-07:21:03.383269 ARP who-has 68.34.195.136 tell 68.34.192.1
02/17-07:21:03.383513 ARP who-has 68.34.195.135 tell 68.34.192.1
02/17-07:21:03.383752 ARP who-has 68.34.195.133 tell 68.34.192.1
02/17-07:21:03.383965 ARP who-has 68.34.195.134 tell 68.34.192.1
02/17-07:21:03.384184 ARP who-has 68.34.195.125 tell 68.34.192.1
02/17-07:21:03.384854 ARP who-has 68.34.195.124 tell 68.34.192.1
02/17-07:21:03.385108 ARP who-has 68.34.195.132 tell 68.34.192.1
02/17-07:21:03.385329 ARP who-has 68.34.195.121 tell 68.34.192.1
02/17-07:21:03.385538 ARP who-has 68.34.195.120 tell 68.34.192.1
02/17-07:21:03.385738 ARP who-has 68.34.195.118 tell 68.34.192.1
02/17-07:21:03.387309 ARP who-has 68.34.195.113 tell 68.34.192.1
02/17-07:21:03.387607 ARP who-has 68.34.195.103 tell 68.34.192.1
02/17-07:21:03.388244 ARP who-has 68.34.195.99 tell 68.34.192.1
02/17-07:21:03.388510 ARP who-has 68.34.195.90 tell 68.34.192.1
02/17-07:21:03.388736 ARP who-has 68.34.195.87 tell 68.34.192.1
02/17-07:21:03.388955 ARP who-has 68.34.195.91 tell 68.34.192.1
02/17-07:21:03.406271 ARP who-has 68.34.195.85 tell 68.34.192.1
02/17-07:21:03.406543 ARP who-has 68.34.195.81 tell 68.34.192.1
02/17-07:21:03.406776 ARP who-has 68.34.195.80 tell 68.34.192.1
02/17-07:21:03.406996 ARP who-has 68.34.195.76 tell 68.34.192.1
02/17-07:21:03.407222 ARP who-has 68.34.195.82 tell 68.34.192.1
02/17-07:21:03.407437 ARP who-has 68.34.195.74 tell 68.34.192.1
02/17-07:21:03.407652 ARP who-has 68.34.195.68 tell 68.34.192.1
02/17-07:21:03.408314 ARP who-has 68.34.195.65 tell 68.34.192.1
02/17-07:21:03.408576 ARP who-has 68.34.195.73 tell 68.34.192.1
02/17-07:21:03.408970 ARP who-has 68.34.195.64 tell 68.34.192.1
02/17-07:21:03.409232 ARP who-has 68.34.195.58 tell 68.34.192.1
02/17-07:21:03.409448 ARP who-has 68.34.195.66 tell 68.34.192.1
02/17-07:21:03.409659 ARP who-has 68.34.195.67 tell 68.34.192.1
02/17-07:21:03.409946 ARP who-has 68.34.195.51 tell 68.34.192.1
02/17-07:21:03.410176 ARP who-has 68.34.195.49 tell 68.34.192.1
02/17-07:21:03.410390 ARP who-has 68.34.195.53 tell 68.34.192.1
02/17-07:21:03.410612 ARP who-has 68.34.195.44 tell 68.34.192.1
02/17-07:21:03.410938 ARP who-has 68.34.195.37 tell 68.34.192.1
The only packet directed at me is the Windows messenger trojan (I blanked out my IP.) The rest won't make it into my LAN anyway, so I really don't want to see them... though I wonder if there's not an ARP DoS attack my Security+ book didn't cover... anyway.  |
|
|
|
|
02-20-2006, 09:57 PM
|
#5
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Original Poster
Rep:
|
By the way, if you see ARP traffic like this it's a sure sign of the Nachia/Welchia worm.  |
|
|
|
|
02-22-2006, 04:17 PM
|
#6
|
|
Member
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82
Rep:
|
Whos your ISP?
|
|
|
|
|
02-23-2006, 05:59 AM
|
#7
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Original Poster
Rep:
|
Comcast cable service... anyway, it's apparent I'm going to have to go buy a book just for this one app. There's a whole lot more to chew on here than I initially thought. |
|
|
|
|
02-23-2006, 07:00 AM
|
#8
|
|
Member
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82
Rep:
|
Keep a close eye on your ip address, I have Charter and mine has never changed. The only time it ever changes is when there is a different NIC plugged into the modem. So if you have a server plugged into it that is going to be dhcp and whatever else it will never change. I have had a webserver on mine for the last year and its never changed. You can then just set eth1 to your outside ip address and you wont have a problem. Also take a look at www.bleedingsnort.com they have a lot of user submission rule sets that you can download for free and have a forum to ask questions with. |
|
|
|
|
02-23-2006, 07:37 AM
|
#9
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Do you really see packets of others?
From this log, it seems you only see packets from your proxyarp/switch?
I think cable modems provider constantly send this arp requests.
Arp packets won't be seen as an attack under snort, so you won't log them.
And for your sniffer, maybe ignore arp packets or broadcast packets directed to you (FF:FF:FF:FF:FF:FF)
Its quite rare to run a sniffer without a filter. Ethereal is very usefull for this: from a 200Meg file, after clicking on "packet not like this" several times, then clicking on follow tcp stream and select not this stream, you finally end up with a few intersting packets.
|
|
|
|
|
02-23-2006, 06:44 PM
|
#10
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Original Poster
Rep:
|
Quote:
|
Originally Posted by ninjaz
Keep a close eye on your ip address, I have Charter and mine has never changed. The only time it ever changes is when there is a different NIC plugged into the modem.
|
Hmmm, with Comcast seems to be the cable modem's MAC that's bound to the IP through DHCP. So changing the NIC doesn't do anything (verified with MAC cloning feature in router.) And can't bring up eth1 with same IP either, but just knowing the IP won't change is good enough. Thanks for info! |
|
|
|
All times are GMT -5. The time now is 05:35 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
