[Snort-users] Tcp session hijacking
Meysam Farazmand
Hi all,
I used "check_session_hijacking" in stream5 preprocessor for session hijacking attacks detection and launched a mitm attack. But snort did not detect it. I also checked preprocessor rules for detecting this type of attack and there was some rules in my ruleset.
Does anyone know how to configure snort to detect session hijacking and mitm attacks?
waldo kitty
> Hi all,
>
> I used "check_session_hijacking" in stream5 preprocessor for session hijacking
> attacks detection and launched a mitm attack. But snort did not detect it.
session hijacking is where you take over or continue with someone's existing or
previous session...
mitm is where you are in the middle and have valid sessions with both parties
and pass their traffic across while doing what you want with it in the middle...
--
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Meysam Farazmand
Hi Waldo,
Thank you for reply.yes you're right. I am doing a project with snort and my project manager wants me to test snort session hijacking detection capability. If we assume that attacker does not use spoofed MAC address, similarity between session hijacking and mitm is that in both, MAC address of on side changes. So snort should detect this MAC address changing with stream5. Is it correct?
Joel Esler (jesler)
Meysam Farazmand
Hi Joel,
But according to snort user manual, stream5 check_session_hijacking option is based on mac address checking on both side of a communication.
More exactly:
" Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect - as established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per 'detect_anomalies' option) for either the client or server when the MAC address for one side or the other does not match. The default is set to off."
Joel Esler (jesler)
--
Meysam Farazmand
Hi,
NP. Yes, i know.my problem is that although "ettercap" changes mac address of victim during communication and i see this changes with wireshark, but snort does not generate any alert on this. Did you test this capability of snort?
Russ Combs (rucombs)
Sent: Tuesday, August 19, 2014 8:40 AM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Tcp session hijacking
Meysam Farazmand
Hi Russ,
yeah i have all of this. I have 2 rules in my preprocessor.rules file for session hijacking detection.
Russ Combs (rucombs)
Sent: Tuesday, August 19, 2014 10:37 AM
Hi Russ,
yeah i have all of this. I have 2 rules in my preprocessor.rules file for session hijacking detection.
* OK, time for a pcap and conf if you can send the minimal repro foo.
Thanks
Russ
Meysam Farazmand
Hi Jefferson,
When we do a man in the middle attack, all of devices arp tables updates with mac address of attacker. So this changes in mac address should be detect as session hijacking with stream5 preprocessor. Because stream5 check_session_hijacking option rely on changes in mac address of a tcp connection.
Also my switch is unmanaged and has no capability of mac spoofing detection.
Wouldn’t your MAC addresses just be those of your routers anyway? Any non-trivial network (ie. Enterprise) probably won’t get much benefit from Snort trying to detect this. You’re better off using the anti-mac spoofing features of your switches, IMO.
From: Meysam Farazmand [mailto:farazman...@gmail.com]
Sent: August 19, 2014 1:16 AM
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] Tcp session hijacking
Hi Waldo,
Jefferson, Shawn
waldo kitty
top posting "corrected" to inline for readability... see my reply below...
On 8/19/2014 1:00 PM, Meysam Farazmand wrote:
> On Aug 19, 2014 9:11 PM, "Jefferson, Shawn" <Shawn.J...@bcferries.com> wrote:
>>
>> Wouldn’t your MAC addresses just be those of your routers anyway? Any
>> non-trivial network (ie. Enterprise) probably won’t get much benefit from
>> Snort trying to detect this. You’re better off using the anti-mac spoofing
>> features of your switches, IMO.____
>
> Hi Jefferson,
>
> When we do a man in the middle attack, all of devices arp tables updates with
> mac address of attacker. So this changes in mac address should be detect as
> session hijacking with stream5 preprocessor. Because stream5
> check_session_hijacking option rely on changes in mac address of a tcp connection.
i think that what jefferson is attempting to point out is that MAC addresses are
only good on the current link... in other words, this chart shows 3 MAC address
changes in the flow of traffic from A to B...
A -> router1 -> router2 -> B
and this one shows 5 changes...
A -> router1 -> router2 -> router3 -> router4 -> B
the source MAC and destination MAC inside the packet will change at each "->"...
IIRC, this is the same for hubs and switches, too...
Meysam Farazmand
Hi Waldo,
My testing network consists of four pc and an unmanaged switch and i don't have any router. As i said before, i poisioned all of pc and switch arp tables with "ettercap".so, when bening pc make a tcp connection to snort pc and we poision its arp tables, the source mac address changes to mac address of attacker and i expect, snort detect this changing.
