-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ossec@xxxxxxxxxx wrote:
>
> Hi !
>
> I'm somewhat concerned about ARP spoofing on switched network, specially
> because of
> ettercap :
> -
> http://www.securitypronews.com/securitypronews-24-20030623EtterCapARPSpoofingandBeyond.html
>
> - http://www.secuobs.com/news/04102006-ettercap.shtml (It's in french, I
> didn't find someting equivalent...)
>
> Ettercap is capable of Man in the middle Attacks (SSL, SSHv1) and
> capable of sniffing switched Networks
>
> So to my question : "Is Ossec capable of looking in logs given by tools
> like arpwatch and detect suspicious changes ?"
>
> Thanks.
>
> Sioban.
>
I don't know if arpwatch is specifically supported. If not, I'm
guessing that you might be able to set something up like the nmap
monitoring[1]. If you could submit log samples of arpwatch[2], or
sample output if it doesn't log, then a decoder could be written for it.
[1] http://www.ossec.net/wiki/index.php/Tutorials:Nmap_Correlation
[2] http://www.ossec.net/wiki/index.php/Log_Samples
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFJntXTPA54hjTSp4RAkg5AJ4uQlh6rdimYin1ToH0zuUgWWC6GACeLVxH
1rN5hVGPwKG4/OA/Ye74JYA=
=2oKg
-----END PGP SIGNATURE-----