Snort mailing list archives

anything wrong with arpspoof preprocessor?

From: Shoelace <yc_koay () yahoo com sg>
Date: Sun, 8 Feb 2004 23:50:24 +0800 (CST)

Hi,
 
Noticed that arpspoof only detects the last entry in the configuration. 
Does anyone have same problem?
 
my configuration looks like this:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15
 
Test Scenario 1:
I fired same attack to these two machines. Result : I am only seeing alerts for 192.168.4.239 but not 192.168.4.153.
 
Test Scenario 2:
I conduct a second test with configuration:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
 
Same attack fired, but I am able to detect 192.168.4.153 this time.
 
Test Scenario 3:
I moved 192.168.4.239 above 192.168.4.153. Configuration look like this:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
 
I am seeing alerts for 192.168.4.153 but not 192.168.4.239 now. 
 
Is there anything wrong with my configuration? 


 Y! Asia presents Lavalife
- Get clicking with thousands of local singles today!

Current thread:

anything wrong with arpspoof preprocessor? Shoelace (Feb 08)