Mitigating ARP Poison Attacks in Snort3 ======================================= .. post:: Apr 21, 2025 :tags: defense, snort3, snort :category: Cybersecurity .. image:: _static/snort-arp-spoof-blog-diagram.png :width: 500 ============= Today I’ll be switching gears. The last few months I’ve been focusing heavily on offensive techniques in network security, but what about defending your own systems? We’ll be diving into **Snort3**, a powerful Intrusion Detection System (IDS) used by security professionals and organizations worldwide. Let’s get into it. ARP Spoofing ------------ First up: **ARP spoofing detection**. An ARP cache poisoning attack happens when an attacker sends fake ARP replies to devices on the network, claiming: > "Hey, I’m the router. Send your packets to me!" Luckily, Snort3 has a built-in ARP Spoof inspector. According to Cisco’s documentation, this module can: .. epigraph:: - Inspect Ethernet and ARP packet addresses. On detecting inconsistencies, it uses **rule 112:2** or **112:3** to generate alerts or drop packets (in inline mode). - Detect **unicast ARP requests**, triggering **rule 112:1** for alerts or drops. - Monitor ARP cache overwrite attempts using the `hosts[]` parameter, triggering **rule 112:4** on detection. ### Detecting a Spoof A common sign of an ARP spoofing attempt is an inconsistent MAC address associated with a known IP address — especially your gateway. Example: :: Legitimate mapping: 10.0.0.1 -> ab:cd:ef:10:12 Spoofed mapping: 10.0.0.1 -> 12:34:ab:cd:ef The IP stays the same, but the MAC changes — which is a red flag. While MAC addresses *can* be changed, legitimate devices rarely do this, especially not a gateway/router. Snort3 Setup ------------ To enable the ARP spoof detection, open your `snort.conf` and add: .. code-block:: none preprocessor arpspoof Then, configure the following rules to trigger alerts when suspicious ARP behavior is observed: .. code-block:: none alert arp any any -> any any (msg:"ARP cache attack"; sid:112; gid:4;) alert arp any any -> any any (msg:"Ethernet/ARP mismatch request for source"; sid:112; gid:2;) alert arp any any -> any any (msg:"Ethernet/ARP mismatch request for destination"; sid:112; gid:3;) alert arp any any -> any any (msg:"Unicast ARP request"; sid:112; gid:1;) These rules help identify and mitigate common ARP spoofing attempts across your local network. --- This will alert us when any device sends a suspicious ARP reply to us. Hopefully, this can successfully mitigate most common ARP spoofing tools.