ARP Spoof does not show MAC

["Kim Wall" <kwall () the4walls net>]

I was hoping someone can clue me in on what is happening. I am using
Snort with packet sampling. I currently have my entire network sending
sampled packets to a single Snort sensor. Obviously, I have had to trim
the rules files in order to make sense in a sampled environment. I have
recently configured ARP Spoof, but the alerts in the alert file do not
include the MAC address of the offending datagram (the one performing
ARP poisoning). 
 
Here's what the line looks like in the alert log (in version 2.01 as
well as 2.1.1):
[**] [112:1:1] (spp_arpspoof) Unicast ARP request [**]
03/31-19:28:39.000000
 
I have started with a simple IP/MAC pair to play with:
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 1.2.3.4 00:04:80:ee:11:00

I am using sFlowtool to reconstruct the original packets and pipe them
into Snort:
sflowtool -p 6343 -t | snort -c /etc/snort/snort.conf -e -d -X -w -r -
 
In the sFlow datagram, all of the information exists in the original
packet (MAC, IP etc.) and is reconstructed properly before being piped
into Snort. Any ideas on what is going on? Are there any L2 plug-ins
available that allow creating a rule with L2 info?
 
Thanks!
 
Kim 





---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.516 / Virus Database: 410 - Release Date: 3/24/2004