[Snort-users] arpspoof preprocessor

Matt Kettler mkettler at ...4108...
Mon Aug 19 17:26:02 EDT 2002

Quite frankly, I'd recommend using arpwatch if you want a good "automatic 
IP address change" detector. Very verbose output, automatically monitors 
all arps and logs new/changed IPs. Snort's arpspoof plugin is fairly new, 
and not quite that feature-rich yet. Functional, but not feature-rich.

At 10:37 AM 8/20/2002 +1200, Morgan Marquis-Boire wrote:
>Does anyone know how to get more verbose logging from the arpspoof 
>detection? My conf file is as follows:
>preprocessor arpspoof
>preprocessor arpspoof_detect_host: <localhost> <MAC address>
>preprocessor arpspoof_detect_host: <gateway> <MAC address>
>and the alerts I get read as follows.
>08/20-10:02:01.671517  [**] [112:3:1] Ethernet destination/ARP target 
>address mismatch [**]
>I would like to be able to get the ip address of the host whose MAC has 
>changed in the alert.
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list