Snort mailing list archives
Re: Arp Preprocessor Patch
From: José Diogo via Snort-devel <snort-devel () lists snort org>
Date: Tue, 30 Oct 2018 11:22:21 +0000
Hi, Can you give me some feedback? Best Regards, José Monteiro
No dia 11/10/2018, às 17:23, José Diogo <jdiogolopes () gmail com> escreveu: Hi, This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”. Let me know your feedback <spp_arpspoof.c.diff> Best Regards, José Monteiro
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Arp Preprocessor Patch José Diogo via Snort-devel (Oct 11)
- Re: Arp Preprocessor Patch José Diogo via Snort-devel (Oct 30)