[Snort-users] arpspoof unicast arp request from where?

Jeff Nathan jeff at ...950...
Mon Aug 5 15:06:04 EDT 2002


This is an excellent question.

Normally, you would use the logged packet to determine the source of the 
alert (We're working under the assumption that alert messages are basically 
static).

At the moment spp_arpspoof doesn't pass the packet that triggered the alert 
to the alerting functions but I'll remedy that ASAP.

-Jeff

--On Thursday, July 11, 2002 13:32:42 -0500 robin 
<mstubbs at ...842...> wrote:

> Hello. I upgraded to using snort 1.8.7 on openbsd 3.1 I configured
> arpspoof thusly: arpspoof: -unicast
> so then it produced some alerts that look like this:
> "date-time [**] [112:1:1] unicast ARP request [**]"
> well how do I know where that is coming from? Is there a way to get more
> information about this like the MAC address and IP address? Is this logged
> somewhere?
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
http://jeff.wwti.com            (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020805/5a0044eb/attachment.sig>


More information about the Snort-users mailing list