[Snort-users] arpspoof preprocessor

Matt Kettler mkettler at ...4108...
Mon Aug 19 17:26:02 EDT 2002


Quite frankly, I'd recommend using arpwatch if you want a good "automatic 
IP address change" detector. Very verbose output, automatically monitors 
all arps and logs new/changed IPs. Snort's arpspoof plugin is fairly new, 
and not quite that feature-rich yet. Functional, but not feature-rich.

At 10:37 AM 8/20/2002 +1200, Morgan Marquis-Boire wrote:
>Hey,
>Does anyone know how to get more verbose logging from the arpspoof 
>detection? My conf file is as follows:
>preprocessor arpspoof
>preprocessor arpspoof_detect_host: <localhost> <MAC address>
>preprocessor arpspoof_detect_host: <gateway> <MAC address>
>
>and the alerts I get read as follows.
>
>08/20-10:02:01.671517  [**] [112:3:1] Ethernet destination/ARP target 
>address mismatch [**]
>
>I would like to be able to get the ip address of the host whose MAC has 
>changed in the alert.
>
>Cheers,
>Morgan
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list