Snort mailing list archives

Re: spp_arpspoof

From: bill.marquette () hewitt com
Date: Wed, 25 Jul 2001 12:26:11 -0500


Not at current.  It can be accomplished with a small amount of source changes
depending on the output routine you use.  I'm looking for Marty to provide some
input on how he'd like to see this implemented architecturaly.  With the current
preprocessor event handling setup, it doesn't appear to me that the preprocessor
should be generating anything except the signature (the "directed arp request"
part) and that the log routine should handle everything else.  Naturally, that
would involve changing the output of a number of logging routines as I don't
think any of them (at least the few that I looked at...AlertFast and
spo_database being two examples) natively support ARP logging.  Please do keep
in mind that the arpspoof preprocessor is considered experimental in snort and
that Jeff Nathan has additionally commented (in the source) that it's proof of
concept code.  This is by no means a finished preprocessor, it's a great start,
but still has gaps that need to be filled in; the logging being one of those
gaps.

--Bill


|--------+------------------------------->
|        |          auto241065@hushmail.c|
|        |          om                   |
|        |                               |
|        |                               |
|        |                               |
|--------+------------------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |      To:   snort-users () lists sourceforge net                               |
  |      cc:                                                                   |
  |      Client:                                                               |
  |      Subject:   [Snort-users] spp_arpspoof                                 |
  >----------------------------------------------------------------------------|





Can this plugin be configured to log the actual directed arp requested, rather
than just the message, "directed arp request"?

Thanks
Free, secure Web-based email, now OpenPGP compliant - www.hushmail.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

spp_arpspoof auto241065 (Jul 25)
- <Possible follow-ups>
- Re: spp_arpspoof bill . marquette (Jul 25)