Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Arpspoof preprocessor not generating alerts

From: Michael Psaila <mp971 () york ac uk>
Date: Thu, 24 Jul 2014 16:13:50 +0100
Hi all,

This is my first attempt in posting here, so my apologies if something goes
wrong.
I've performed an ARP Cache Poisoning attack using hping3 and recorded the
network traffic involved in a PCAP file.

I'm trying to run the PCAP file through snort in order to generate alerts
on the changes in the MAC addresses.
I'm using the latest version of Snort (2.9.2.2), running on Kali Linux.
To install Snort, I followed the instructions on Snort's website and
extracted the most recent rulesets available to registered users.

My snort.conf file contains the following lines:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.187.150 00:0c:29:73:ab:f4
preprocessor arpspoof_detect_host: 192.168.187.175 00:0c:29:04:c9:2b


From the documentation I've read, I think that's all configuring required.

I've also run the Snort test (snort -T -c /etc/snort/snort.conf), and all
seems to be working fine.

The complete snort.conf file can be viewed here:
http://pastebin.com/iE7VYW0s
Attached with this email is the PCAP file I'm passing through Snort.

The command I'm executing in the terminal is:
snort -r /root/PCAPs/ARP_Cache_Poisoning_2_victims.pcap -c
/etc/snort/snort.conf -l /root/PCAPs/output.log

I've analysed the PCAP file manually, and am absolutely sure that there are
multiple ARP Replies with different MAC values for the same IP address.
Any ideas on why no alerts are being produced by the arpspoof preprocessor?

Thanks a lot,
Michael

Attachment: ARP_Cache_Poisoning_2_victims.pcap
Description: 

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: