[Snort-devel] Arp Preprocessor Patch

José Diogo jdiogolopes at gmail.com
Thu Oct 11 12:23:37 EDT 2018


Hi,

This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”.

Let me know your feedback
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_arpspoof.c.diff
Type: application/octet-stream
Size: 2738 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20181011/c8d8a310/attachment.obj>
-------------- next part --------------


Best Regards,
José Monteiro


More information about the Snort-devel mailing list