Snort mailing list archives
Re: Arpspoof Preproc failed
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 27 Apr 2020 19:34:14 +0000
Hello, Some info on the arpspoof preprocessor is listed here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000. An event should look like below for unicast ARP (in the pcap). debian9@debian9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/arpspoof.conf -r ~/Downloads/arp.pcap -Acmg -k none -q Arpspoof IPMacEntry List Size: 1 192.168.40.1 -> f0:0f:00:f0:0f:00 Arpspoof IPMacEntry List Size: 2 192.168.40.1 -> f0:0f:00:f0:0f:00 192.168.40.2 -> f0:0f:00:f0:0f:01 11/10-21:00:25.652633 [**] [112:1:1] (spp_arpspoof) Unicast ARP request [**] The settings used were: debian9@debian9:/var/tmp/snort-2.9.15$ cat etc/arpspoof.conf | grep arp preprocessor arpspoof: -unicast preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01 The conf and pcap are attached. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Alius Fr via Snort-sigs <snort-sigs () lists snort org> Reply-To: Alius Fr <luff0999 () gmail com> Date: Monday, April 27, 2020 at 1:42 PM To: "snort-sigs () lists snort org" <snort-sigs () lists snort org> Subject: [Snort-sigs] Arpspoof Preproc failed Hi community. I'm new on Snort. I'm trying to setup it for a college's lab. They asked me to install and setup Snort to detect an arpspoof attack. I did what I could but I have no alerts after doing the attack from a kali linux machine and l lost connection that it means it doesn't work. Do you have somme documentation about it ? There are lot of video tutorials about Snort but nobody talk about arpspoof configuration. I'd really appreciate your help. Thank you in advance.
Attachment:
arp.pcap
Description: arp.pcap
Attachment:
arpspoof.conf
Description: arpspoof.conf
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Arpspoof Preproc failed Alius Fr via Snort-sigs (Apr 27)
- Re: Arpspoof Preproc failed Al Lewis (allewi) via Snort-sigs (Apr 27)