Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Arp Preprocessor Patch

From: José Diogo via Snort-devel <snort-devel () lists snort org>
Date: Thu, 11 Oct 2018 17:23:37 +0100
Hi,

This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. 
The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol 
Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This 
way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), 
it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa 
<-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”.

Let me know your feedback

Attachment: spp_arpspoof.c.diff
Description: 



Best Regards,
José Monteiro
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: