Snort mailing list archives

Previous By Date Next
Previous By Thread Next

preprocessor arpspoof, help!

From: Daniel Ascensão <dpla () mega ist utl pt>
Date: Sun, 15 Feb 2004 14:55:19 +0000
Hi,

I'm trying to use the arpspoof preprocessor but I have some questions.
First where can I find some documentation about it?

I’m not sure how does it work, I have this conf. In the arpspoof:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34
preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81

if I get any arp package that match this mapping I get the following log:

[**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**]
02/14-16:41:14.553565
And if the arp request or reply doesn’t match it’s dropped silently. However, what I want to do with the preprocessor is to have an alert when I have arp request that didn’t match the mapping and possibly drop it. 

Another question, this “alerts” don’t appear in SnortSnarf reports, why?

Thks in advance
Daniel Ascensão 


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: