Snort mailing list archives
How to detect massive ARPing from Ettercap?
From: twig les <twigles () yahoo com>
Date: Fri, 27 Sep 2002 10:14:38 -0700 (PDT)
Hey *, my latest spare-time toy is ettercap (ettercap.sourceforge.net), which among many other things, can map its subnet in about 10 seconds thru massive arping. Unfortunately my snort box didn't see this happening. More accurately, it saw it but didn't generate any alerts. I know it saw it because I ran tcpdump on the snort box also. Is there a way to catch this in 1.8.7? I saw a post this week about setting thresholds for rules (100 arps in 10 seconds = alert), but I'm curious.... ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to detect massive ARPing from Ettercap? twig les (Sep 27)
- Re: How to detect massive ARPing from Ettercap? Gary Flynn (Sep 27)