Snort mailing list archives
Arpspoof preprocessor not generating alerts
From: Michael Psaila <mp971 () york ac uk>
Date: Thu, 24 Jul 2014 16:13:50 +0100
Hi all, This is my first attempt in posting here, so my apologies if something goes wrong. I've performed an ARP Cache Poisoning attack using hping3 and recorded the network traffic involved in a PCAP file. I'm trying to run the PCAP file through snort in order to generate alerts on the changes in the MAC addresses. I'm using the latest version of Snort (2.9.2.2), running on Kali Linux. To install Snort, I followed the instructions on Snort's website and extracted the most recent rulesets available to registered users. My snort.conf file contains the following lines: preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.187.150 00:0c:29:73:ab:f4 preprocessor arpspoof_detect_host: 192.168.187.175 00:0c:29:04:c9:2b
From the documentation I've read, I think that's all configuring required.
I've also run the Snort test (snort -T -c /etc/snort/snort.conf), and all seems to be working fine. The complete snort.conf file can be viewed here: http://pastebin.com/iE7VYW0s Attached with this email is the PCAP file I'm passing through Snort. The command I'm executing in the terminal is: snort -r /root/PCAPs/ARP_Cache_Poisoning_2_victims.pcap -c /etc/snort/snort.conf -l /root/PCAPs/output.log I've analysed the PCAP file manually, and am absolutely sure that there are multiple ARP Replies with different MAC values for the same IP address. Any ideas on why no alerts are being produced by the arpspoof preprocessor? Thanks a lot, Michael
Attachment:
ARP_Cache_Poisoning_2_victims.pcap
Description:
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Arpspoof preprocessor not generating alerts Michael Psaila (Jul 24)