[Snort-devel] Arp Preprocessor Patch
jdiogolopes at gmail.com
Tue Oct 30 07:22:21 EDT 2018
Can you give me some feedback?
> No dia 11/10/2018, às 17:23, José Diogo <jdiogolopes at gmail.com> escreveu:
> This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”.
> Let me know your feedback
> Best Regards,
> José Monteiro
More information about the Snort-devel