Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arp Preprocessor Patch

From: José Diogo via Snort-devel <snort-devel () lists snort org>
Date: Tue, 30 Oct 2018 11:22:21 +0000
Hi,

Can you give me some feedback?

Best Regards,
José Monteiro


No dia 11/10/2018, às 17:23, José Diogo <jdiogolopes () gmail com> escreveu:

Hi,

This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. 
The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol 
Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. 
This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite 
attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping 
aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 
172.27.248.213”.

Let me know your feedback
<spp_arpspoof.c.diff>

Best Regards,
José Monteiro


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: