Snort mailing list archives
ARP Spoof does not show MAC
From: "Kim Wall" <kwall () foundrynet com>
Date: Wed, 31 Mar 2004 19:41:28 -0600
I was hoping someone can clue me in on what is happening. I am using Snort with packet sampling. I currently have my entire network sending sampled packets to a single Snort sensor. Obviously, I have had to trim the rules files in order to make sense in a sampled environment. I have recently configured ARP Spoof, but the alerts in the alert file do not include the MAC address of the offending datagram (the one performing ARP poisoning). Here's what the line looks like in the alert log (in version 2.01 as well as 2.1.1): [**] [112:1:1] (spp_arpspoof) Unicast ARP request [**] 03/31-19:28:39.000000 I have started with a simple IP/MAC pair to play with: preprocessor arpspoof: -unicast preprocessor arpspoof_detect_host: 1.2.3.4 00:04:80:ee:11:00 I am using sFlowtool to reconstruct the original packets and pipe them into Snort: sflowtool -p 6343 -t | snort -c /etc/snort/snort.conf -e -d -X -w -r - In the sFlow datagram, all of the information exists in the original packet (MAC, IP etc.) and is reconstructed properly before being piped into Snort. Any ideas on what is going on? Are there any L2 plug-ins available that allow creating a rule with L2 info? Thanks! Kim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.647 / Virus Database: 414 - Release Date: 3/29/2004
Current thread:
- ARP Spoof does not show MAC Kim Wall (Apr 02)
- Re: ARP Spoof does not show MAC Stephen W. Thompson (Apr 02)
- <Possible follow-ups>
- ARP Spoof does not show MAC Kim Wall (Apr 05)