[Snort-users] arpspoof preprocessor

Morgan Marquis-Boire morganm at ...6655...
Mon Aug 19 15:45:04 EDT 2002

Does anyone know how to get more verbose logging from the arpspoof 
detection? My conf file is as follows:
preprocessor arpspoof
preprocessor arpspoof_detect_host: <localhost> <MAC address>
preprocessor arpspoof_detect_host: <gateway> <MAC address>

and the alerts I get read as follows.

08/20-10:02:01.671517  [**] [112:3:1] Ethernet destination/ARP target 
address mismatch [**]

I would like to be able to get the ip address of the host whose MAC has 
changed in the alert.


More information about the Snort-users mailing list