Snort mailing list archives
arp preprocessor
From: Daniel Ascensão <zyxmail () netvisao pt>
Date: Sat, 14 Feb 2004 17:10:20 +0000
Hi, I'm trying to use the arpspoof preprocessor but I have some questions. First where can I find some documentation about it? Im not sure how does it work, I have this conf. In the arpspoof: preprocessor arpspoof preprocessor arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34 preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81 if I get any arp package that match this mapping I get the following log: [**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**] 02/14-16:41:14.553565And if the arp request or reply doesnt match its dropped silently. However, what I want to do with the preprocessor is to have an alert when I have arp request that didnt match the mapping and possibly drop it.
Another question, this alerts dont appear in SnortSnarf reports, why? Thks in advanceDaniel Ascensão
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- arp preprocessor Daniel Ascensão (Feb 16)