RE: Snort vs Hunt v1.5

From: Clint Byrum (cbyrum@spamaps.org)
Date: 10/09/02


From: Clint Byrum <cbyrum@spamaps.org>
To: focus-ids@securityfocus.com
Date: 08 Oct 2002 22:59:58 -0700

On Mon, 2002-10-07 at 18:24, Kevin Saenz wrote:
> Snort is designed to analyse the network traffic and alert you as to any attempted breach of security.
> Hunt and Snort are as different as chalk and cheese
>

Uh... I don't think thats what Rick was saying.

He was saying.. if somebody is throwing cheese around his network, how
does he outline them in chalk...

Or something like that.

Anyways... snort has an arp plugin, but I haven't found it necessary, as
arpwatch is perfect for this duty. Check it out. I run it on all of my
IDS's.

> -----Original Message-----
> From: Rick Zhong [mailto:isc00801@nus.edu.sg]
> Sent: Monday, October 07, 2002 8:52 PM
> To: focus-ids@securityfocus.com
> Subject: Snort vs Hunt v1.5
>
>
> hi,
> Does snort able to detect ip/ARP hijacking implemented by using Hunt v1.5 ?
>
> I have this setup:
> Host A: Linux 7.3
> IP 192.18.10.1 (with telnet server and snort installed)
>
> Host B: Linux 7.3
> IP 192.18.10.4 (client to the host A)
>
> Intruder
> IP 192.18.10.8 (with snot installed)
>
> It seems the intruder is able to catch all the telnet connection between
> host A and host B, however the snort on host A is not able to detect the
> intrusion. I am using the default snort rules in the snort package. So is
> there any available rules or signature which can be used to detect this type
> of intrusion.
>
> regards,
> Rick
>
>