[Snort-users] Re:Went to switched environment

Prins, J.H. J.H.Prins at ...1070...
Wed Jan 10 02:56:13 EST 2001


Could it be that the packets you receive through the spoofed ARP entry are
all destined for other IP's then your IP? Snort is detecting and identifying
packets on IP adres, not on ARP adres or whatever. 

"Alert tcp any any <> any any" will probebly include the packets that should
be at the gateway too. Like TCPDUMP.

Greetings,
J.H. Prins

-----Original Message-----
From: Ronny Huybrechts [mailto:ronny at ...1040...]
Sent: Saturday, January 06, 2001 1:39 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Re:Went to switched environment


By using arpspoof from the dsniff tools, 
I can use tpcdump to display packets after starting
./arpspoof 'ip-of-our-internet-gateway'
(only interesting in the big bad outer world)
but snort1.7 (or1.6.x) cannot see anything although 
arpspoof is running..

Did I forgot something ?





_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list