[Snort-devel] (no subject)

lora john lora_john at ...445...
Tue Jan 20 01:05:02 EST 2004

Analysing snort-2.1.0 on Debian GNU/Linux 2.2, Facing problems with the 

1. arpspoof is not alerting properly when detected.
Say there are more than one IP/MAC address in the table. It always alerts 
only for the last item in the list, eventhough the ARP frame is detected for 
that particular IP/MAC.

I checked the code spp_arpsoof.c for LookupIPMAcEntry()

IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list,
        u_int32_t ipv4_addr)
    IPMacEntryListNode *current;
    if (ip_mac_entry_list == NULL)
        return NULL;

    for (current = ip_mac_entry_list->head; current != NULL; current = 
        if (current->ip_mac_entry->ipv4_addr == ipv4_addr)
                    "MODNAME: LookupIPMecEntryByIP() match!"););

            return current->ip_mac_entry;
    return NULL;

The matching of the IP/MAC address in the table is clear, but couldnt 
understand why it always report for the last node in the list. As am new to 
snort, couldnt explore much how snort detects these packets and logs it.

Even tried with the patch from 
http://oasis.uptsoft.com/~devnull/spp_arpspoof.c. Snort dies because it says 
that the arpspoof_detect_host is not recognised by it. I know that this is 
like dynamic creation of these preprocessors on the packets on threshold 
basis. But say if i manually wanted to configure a particular IP/MAC then 
how do i do it?. Please do give your suggestions on this.

2. The alerting mechanism for rules look different between snort-2.0.5 and 
snort-2.1.0. Some of the rules does not raise alerts, even though the packet 
matches the rule criteria.


Get MSN Hotmail alerts on your mobile. 

More information about the Snort-devel mailing list