Mitigating ARP Poison Attacks in Snort3

_images/snort-arp-spoof-blog-diagram.png

Today I’ll be switching gears. The last few months I’ve been focusing heavily on offensive techniques in network security, but what about defending your own systems?

We’ll be diving into Snort3, a powerful Intrusion Detection System (IDS) used by security professionals and organizations worldwide. Let’s get into it.

ARP Spoofing

First up: ARP spoofing detection. An ARP cache poisoning attack happens when an attacker sends fake ARP replies to devices on the network, claiming:

> “Hey, I’m the router. Send your packets to me!”

Luckily, Snort3 has a built-in ARP Spoof inspector. According to Cisco’s documentation, this module can:

  • Inspect Ethernet and ARP packet addresses. On detecting inconsistencies, it uses rule 112:2 or 112:3 to generate alerts or drop packets (in inline mode).

  • Detect unicast ARP requests, triggering rule 112:1 for alerts or drops.

  • Monitor ARP cache overwrite attempts using the hosts[] parameter, triggering rule 112:4 on detection.

### Detecting a Spoof

A common sign of an ARP spoofing attempt is an inconsistent MAC address associated with a known IP address — especially your gateway.

Example:

Legitimate mapping: 10.0.0.1 -> ab:cd:ef:10:12
Spoofed mapping:    10.0.0.1 -> 12:34:ab:cd:ef

The IP stays the same, but the MAC changes — which is a red flag. While MAC addresses can be changed, legitimate devices rarely do this, especially not a gateway/router.

Snort3 Setup

To enable the ARP spoof detection, open your snort.conf and add:

preprocessor arpspoof

Then, configure the following rules to trigger alerts when suspicious ARP behavior is observed:

alert arp any any -> any any (msg:"ARP cache attack"; sid:112; gid:4;)
alert arp any any -> any any (msg:"Ethernet/ARP mismatch request for source"; sid:112; gid:2;)
alert arp any any -> any any (msg:"Ethernet/ARP mismatch request for destination"; sid:112; gid:3;)
alert arp any any -> any any (msg:"Unicast ARP request"; sid:112; gid:1;)

These rules help identify and mitigate common ARP spoofing attempts across your local network.

This will alert us when any device sends a suspicious ARP reply to us. Hopefully, this can successfully mitigate most common ARP spoofing tools.