Snort mailing list archives
anything wrong with arpspoof preprocessor?
From: Shoelace <yc_koay () yahoo com sg>
Date: Sun, 8 Feb 2004 23:50:24 +0800 (CST)
Hi, Noticed that arpspoof only detects the last entry in the configuration. Does anyone have same problem? my configuration looks like this: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4 preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15 Test Scenario 1: I fired same attack to these two machines. Result : I am only seeing alerts for 192.168.4.239 but not 192.168.4.153. Test Scenario 2: I conduct a second test with configuration: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4 Same attack fired, but I am able to detect 192.168.4.153 this time. Test Scenario 3: I moved 192.168.4.239 above 192.168.4.153. Configuration look like this: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15 preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4 I am seeing alerts for 192.168.4.153 but not 192.168.4.239 now. Is there anything wrong with my configuration? Y! Asia presents Lavalife - Get clicking with thousands of local singles today!
Current thread:
- anything wrong with arpspoof preprocessor? Shoelace (Feb 08)