Snort mailing list archives
ARP Processor Question
From: Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Thu, 12 Jan 2012 08:20:41 +1300
Hi All: I have used Snort-2.9.1.1 and try to enable the "ARP" preprocessor, after I have enable the "preprocessor arpspoof: -unicast", I used the snort to read some trace file, which has ARP request, according to the snort manual, it explains that "When "-unicast" is specified as the argument of arpspoof, the preprocessor checks for unicast ARP requests. An alert with GID 112 and SID 1 will be generated if a unicast ARP request is detected". But when I check my /var/log/snort", I still find my alert file is empty. so I just wonder is any configuration that I did wrong, why snort can't detect the arp request?? Thanks for your time. Regards Steven
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ARP Processor Question Qinwen Hu (Jan 11)