[Snort-devel] Arp Preprocessor Patch

José Diogo jdiogolopes at gmail.com
Tue Oct 30 07:22:21 EDT 2018


Hi,

Can you give me some feedback?

Best Regards,
José Monteiro

> No dia 11/10/2018, às 17:23, José Diogo <jdiogolopes at gmail.com> escreveu:
> 
> Hi,
> 
> This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”.
> 
> Let me know your feedback
> <spp_arpspoof.c.diff>
> 
> Best Regards,
> José Monteiro



More information about the Snort-devel mailing list