Does Suricata IPS have the capability to detect and prevent ARP poisoning attacks? Snort uses a preprocessor that decodes ARP packets and detects ARP attacks, but I couldn't find any such capability mentioned for Suricata IPS.
Asked
Active
Viewed 4,490 times
1
-
This question is more suited to Suricata support. – schroeder Oct 18 '14 at 22:15
1 Answers
1
Arp attacks related to layer 2 of OSI model. Suricata and Snort IDPS is developed to detect attacks at the higher level of OSI model. Suricata doesn't have mechanism to detect such type attacks. Snort has a preprocessor to detect arp attacks but that needs some configuration. I have worked on that and I didn't found it useful because sometimes it will not work. The main drawback of snort arpspoof preprocessor is you have to manually specify the ip and hardware address to arpspoof-detect-host. The host and snort should be in the same layer 2 segment. To prevent such types of attacks the best solution is to use layer 2 device Switch.
ifexploit
- 2,529
- 1
- 16
- 12