Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arpspoof Preproc failed

From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 27 Apr 2020 19:34:14 +0000
Hello,

Some info on the arpspoof preprocessor is listed here: 
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000.


An event should look like below for unicast ARP (in the pcap).

debian9@debian9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/arpspoof.conf -r ~/Downloads/arp.pcap -Acmg -k none -q

Arpspoof IPMacEntry List  Size: 1
192.168.40.1 -> f0:0f:00:f0:0f:00
Arpspoof IPMacEntry List  Size: 2
192.168.40.1 -> f0:0f:00:f0:0f:00
192.168.40.2 -> f0:0f:00:f0:0f:01

11/10-21:00:25.652633  [**] [112:1:1] (spp_arpspoof) Unicast ARP request [**]



The settings used were:

debian9@debian9:/var/tmp/snort-2.9.15$ cat etc/arpspoof.conf | grep arp
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01



The conf and pcap are attached.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Alius Fr via Snort-sigs <snort-sigs () lists 
snort org>
Reply-To: Alius Fr <luff0999 () gmail com>
Date: Monday, April 27, 2020 at 1:42 PM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: [Snort-sigs] Arpspoof Preproc failed

Hi community.

I'm new on Snort. I'm trying to setup it for a college's lab. They asked me to install and setup Snort to detect an 
arpspoof attack. I did what I could but I have no alerts after doing the attack from a kali linux machine and l lost 
connection that it means it doesn't work. Do you have somme documentation about it ? There are lot of video tutorials 
about Snort but nobody talk about arpspoof configuration.
I'd really appreciate your help.

Thank you in advance.

Attachment: arp.pcap
Description: arp.pcap

Attachment: arpspoof.conf
Description: arpspoof.conf

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: