2024年4月26日发(作者:)

arp攻击的snort检测规则

英文回答:

ARP Spoofing Detection Rules.

ARP spoofing is a technique used by attackers to trick

other devices on a network into believing that the

attacker's MAC address is associated with the IP address of

another device. This can allow the attacker to intercept

traffic intended for the target device, launch man-in-the-

middle attacks, or otherwise disrupt network communications.

Snort is a popular network intrusion detection system

(NIDS) that can be used to detect ARP spoofing attacks. The

following Snort rules can be used to detect ARP spoofing:

alert udp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_PORT any

(msg:"HTTP_REST_Flood"; flow:established,to_server;

pcre:"/^POST /"; content:"Transfer-Encoding: chunked";

depth:20; sid:32350; rev:1;)。

This rule detects ARP spoofing attacks by looking for

hosts that are sending unsolicited ARP requests.

Unsolicited ARP requests are typically sent by attackers to

try to poison the ARP cache of other devices on the network.

alert tcp $EXTERNAL_NET any -> $HTTP_PORT any

(msg:"HTTP_REST_Flood"; flow:established,to_server;

pcre:"/^GET /"; content:"HTTP/1.1 200 OK"; depth:15;

sid:32351; rev:1;)。

This rule detects ARP spoofing attacks by looking for

hosts that are sending ARP replies to unsolicited ARP

requests. ARP replies are typically sent by attackers to

try to trick other devices on the network into believing

that the attacker's MAC address is associated with the IP

address of the target device.

These rules can be added to a Snort configuration file

to enable detection of ARP spoofing attacks.

中文回答:

ARP欺骗检测规则。

ARP欺骗是一种攻击者用来欺骗网络上的其他设备,使其相信

攻击者的MAC地址与另一台设备的IP地址相关联的技术。这可能允

许攻击者拦截针对目标设备的流量,发起中间人攻击或以其他方式

中断网络通信。

Snort是一个流行的网络入侵检测系统(NIDS),可用于检测

ARP欺骗攻击。以下Snort规则可用于检测ARP欺骗:

警报 udp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_PORT 任何

(消息,“HTTP_REST_Flood”;流,已建立,到服务器;pcre,

“/^POST /”;内容,“Transfer-Encoding: chunked”;深度,

20;sid,32350;修订版,1;)。

此规则通过查找发送未经请求的ARP请求的主机来检测ARP欺

骗攻击。未经请求的ARP请求通常由攻击者发送,以尝试毒化网络

上其他设备的ARP高速缓存。

警报 tcp $EXTERNAL_NET 任何 -> $HTTP_PORT 任何(消息,

“HTTP_REST_Flood”;流,已建立,到服务器;pcre,“/^GET

/”;内容,“HTTP/1.1 200 OK”;深度,15;sid,32351;修订

版,1;)。

此规则通过查找发送ARP回复以响应未经请求的ARP请求的主

机来检测ARP欺骗攻击。ARP回复通常由攻击者发送,以尝试欺骗

网络上的其他设备,使其相信攻击者的MAC地址与目标设备的IP地

址相关联。

可以将这些规则添加到Snort配置文件中以启用ARP欺骗攻击

检测。