RE: preprocessor arpspoof, help!

[Daniel Ascensão <dpla () mega ist utl pt>]

Yes I know what the RTFM is!! I tried find information about this 
particular pre-processor and I didn’t found any in the manual. The only 
information that I found is in config file.

I’m sry to you all if this is an idiot question.

Daniel Ascensão



> At 17:53 15-02-2004, you wrote:
> > There is some documentation to be found in the docs directory of snort.
> >
> > Snort Manual.
> >
> > This is also found online.
> >
> > Do you know what a search engine is?  Do you know what RTFM is?
> >
> >
> > RE: Snortsnarf alert logging.
> >
> > Are you logging alerts?
> >
> > J.
> >
> >
> > :> -----Original Message-----
> > :> From: snort-users-admin () lists sourceforge net
> > :> [mailto:snort-users-admin () lists sourceforge net] On Behalf
> > :> Of Daniel Ascensão
> > :> Sent: Sunday, February 15, 2004 7:55 AM
> > :> To: snort-users () lists sourceforge net
> > :> Subject: [Snort-users] preprocessor arpspoof, help!
> > :>
> > :>
> > :> Hi,
> > :>
> > :> I'm trying to use the arpspoof preprocessor but I have some
> > :> questions. First where can I find some documentation about it?
> > :>
> > :> I’m not sure how does it work, I have this conf. In the
> > :> arpspoof: preprocessor arpspoof preprocessor
> > :> arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34
> > :> preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81
> > :>
> > :> if I get any arp package that match this mapping I get the
> > :> following log:
> > :>
> > :> [**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite
> > :> attack [**] 02/14-16:41:14.553565
> > :>
> > :> And if the arp request or reply doesn’t match it’s dropped silently.
> > :> However, what I want to do with the preprocessor is to have
> > :> an alert when I
> > :> have arp request that didn’t match the mapping and possibly drop it.
> > :>
> > :> Another question, this “alerts” don’t appear in SnortSnarf
> > :> reports, why?
> > :>
> > :> Thks in advance
> > :>
> > :> Daniel Ascensão
> > :>
> > :>
> > :>
> > :> -------------------------------------------------------
> > :> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> > :> Build and deploy apps & Web services for Linux with
> > :> a free DVD software kit from IBM. Click Now!
> > :> http://ads.osdn.com/?ad_id56&alloc_id438:> &opÌk
> > :>
> > :> _______________________________________________
> > :>
> > :> Snort-users mailing list
> > :> Snort-users () lists sourceforge net
> > :> Go to this URL to change user options or unsubscribe:
> > :> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users
> > :>
> > :>
> > :> Snort-users list archive:
> > :> http://www.geocrawler.com/redir-sf.php3?list
> > :>



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users