Snort mailing list archives
Re: spp_arpspoof
From: bill.marquette () hewitt com
Date: Wed, 25 Jul 2001 12:26:11 -0500
Not at current. It can be accomplished with a small amount of source changes depending on the output routine you use. I'm looking for Marty to provide some input on how he'd like to see this implemented architecturaly. With the current preprocessor event handling setup, it doesn't appear to me that the preprocessor should be generating anything except the signature (the "directed arp request" part) and that the log routine should handle everything else. Naturally, that would involve changing the output of a number of logging routines as I don't think any of them (at least the few that I looked at...AlertFast and spo_database being two examples) natively support ARP logging. Please do keep in mind that the arpspoof preprocessor is considered experimental in snort and that Jeff Nathan has additionally commented (in the source) that it's proof of concept code. This is by no means a finished preprocessor, it's a great start, but still has gaps that need to be filled in; the logging being one of those gaps. --Bill |--------+-------------------------------> | | auto241065@hushmail.c| | | om | | | | | | | | | | |--------+-------------------------------> >----------------------------------------------------------------------------| | | | To: snort-users () lists sourceforge net | | cc: | | Client: | | Subject: [Snort-users] spp_arpspoof | >----------------------------------------------------------------------------| Can this plugin be configured to log the actual directed arp requested, rather than just the message, "directed arp request"? Thanks Free, secure Web-based email, now OpenPGP compliant - www.hushmail.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_arpspoof auto241065 (Jul 25)
- <Possible follow-ups>
- Re: spp_arpspoof bill . marquette (Jul 25)