[Snort-devel] ARPSpoof.

Andrew Tan andtan_sg at ...445...
Sun Feb 15 18:03:01 EST 2004


Hi,
Arpspoof only detects the last entry in the configuration
preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E
preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03

Got the folowing alerts when i spoofed 10.1.1.2

[**] [112:4:1] Attempted ARP cache overwrite attack [**]
[Classification : Unknown]
02/10/04-09:18:10.017010 10.1.1.2 -> 10.1.1.2

[**] Attempted ARP cache overwrite attack [**]
02/10/04-09:18:10.017010 ARP who-has 10.1.1.4 tell 10.1.1.2

But when i tried to spoof 10.1.1.1 it did not raise me any alert.

I modified the snort.conf to have the following

preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E

Now i got the following alerts

[**] [112:4:1] Attempted ARP cache overwrite attack [**]
[Classification : Unknown]
02/10/04-09:23:38.733957 10.1.1.1 -> 10.1.1.1

[**] Attempted ARP cache overwrite attack [**]
02/10/04-09:23:38.733957 ARP reply 10.1.1.1 is-at 0:D:59:26:85:5E

Feel like it alerts only the last host in the list
Wlked through the code of spp_arpspoof.c. Couldn't identify where the 
alerting goes wrong. Cananyone help me on this.

This works the same with the older versions of snort too...(snort-2.0.2)
Regards,
Tan.

_________________________________________________________________
Get 10mb of inbox space with MSN Hotmail Extra Storage 
http://join.msn.com/?pgmarket=en-sg





More information about the Snort-devel mailing list