Snort mailing list archives
RE: preprocessor arpspoof, help!
From: Daniel Ascensão <dpla () mega ist utl pt>
Date: Sun, 15 Feb 2004 18:30:59 +0000
Yes I know what the RTFM is!! I tried find information about this particular pre-processor and I didnt found any in the manual. The only information that I found is in config file.
Im sry to you all if this is an idiot question. Daniel Ascensão
At 17:53 15-02-2004, you wrote:There is some documentation to be found in the docs directory of snort. Snort Manual. This is also found online. Do you know what a search engine is? Do you know what RTFM is? RE: Snortsnarf alert logging. Are you logging alerts? J. :> -----Original Message----- :> From: snort-users-admin () lists sourceforge net :> [mailto:snort-users-admin () lists sourceforge net] On Behalf :> Of Daniel Ascensão :> Sent: Sunday, February 15, 2004 7:55 AM :> To: snort-users () lists sourceforge net :> Subject: [Snort-users] preprocessor arpspoof, help! :> :> :> Hi, :> :> I'm trying to use the arpspoof preprocessor but I have some :> questions. First where can I find some documentation about it? :> :> Im not sure how does it work, I have this conf. In the :> arpspoof: preprocessor arpspoof preprocessor :> arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34 :> preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81 :> :> if I get any arp package that match this mapping I get the :> following log: :> :> [**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite :> attack [**] 02/14-16:41:14.553565 :> :> And if the arp request or reply doesnt match its dropped silently. :> However, what I want to do with the preprocessor is to have :> an alert when I :> have arp request that didnt match the mapping and possibly drop it. :> :> Another question, this alerts dont appear in SnortSnarf :> reports, why? :> :> Thks in advance :> :> Daniel Ascensão :> :> :> :> ------------------------------------------------------- :> SF.Net is sponsored by: Speed Start Your Linux Apps Now. :> Build and deploy apps & Web services for Linux with :> a free DVD software kit from IBM. Click Now! :> http://ads.osdn.com/?ad_id56&alloc_id438:> &opÌk :> :> _______________________________________________ :> :> Snort-users mailing list :> Snort-users () lists sourceforge net :> Go to this URL to change user options or unsubscribe: :> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users :> :> :> Snort-users list archive: :> http://www.geocrawler.com/redir-sf.php3?list :>
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor arpspoof, help! Daniel Ascensão (Feb 15)
- <Possible follow-ups>
- RE: preprocessor arpspoof, help! Daniel Ascensão (Feb 15)
- preprocessor arpspoof, help! Daniel Ascensão (Feb 16)