ARPspoof Question

[Michael Esposito <michael.esposito () juno com>]

I'm trying to get the arpspoof preprocessor to work properly.
I've been using Snort 1.83 on W2K.

I have the following in my snort.conf:

preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 192.168.0.1 00:00:d4:7d:3a:58


unicast ARP request alerts show up in ACID but they do not appear in the
ARP file under c:\snort\logs

Partial output from my ARP file:

09/21-23:56:06.589086 ARP reply 0.0.0.0 is-at 0:B B:99:F:95
09/21-23:56:07.545926 ARP who-has 0.0.0.0 tell 0.0.0.0
09/21-23:56:08.598975 ARP reply 0.0.0.0 is-at 0:B B:99:F:95


It was working for a while, but now I can't get it to log to this file
anymore.

Any suggestions?

Thanks,

michael 

________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users