[Snort-devel] (no subject)
lora_john at ...445...
Tue Jan 20 01:05:02 EST 2004
Analysing snort-2.1.0 on Debian GNU/Linux 2.2, Facing problems with the
1. arpspoof is not alerting properly when detected.
Say there are more than one IP/MAC address in the table. It always alerts
only for the last item in the list, eventhough the ARP frame is detected for
that particular IP/MAC.
I checked the code spp_arpsoof.c for LookupIPMAcEntry()
IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list,
if (ip_mac_entry_list == NULL)
for (current = ip_mac_entry_list->head; current != NULL; current =
if (current->ip_mac_entry->ipv4_addr == ipv4_addr)
"MODNAME: LookupIPMecEntryByIP() match!"););
The matching of the IP/MAC address in the table is clear, but couldnt
understand why it always report for the last node in the list. As am new to
snort, couldnt explore much how snort detects these packets and logs it.
Even tried with the patch from
http://oasis.uptsoft.com/~devnull/spp_arpspoof.c. Snort dies because it says
that the arpspoof_detect_host is not recognised by it. I know that this is
like dynamic creation of these preprocessors on the packets on threshold
basis. But say if i manually wanted to configure a particular IP/MAC then
how do i do it?. Please do give your suggestions on this.
2. The alerting mechanism for rules look different between snort-2.0.5 and
snort-2.1.0. Some of the rules does not raise alerts, even though the packet
matches the rule criteria.
Get MSN Hotmail alerts on your mobile.
More information about the Snort-devel