[Snort-users] arpspoof preprocessor
morganm at ...6655...
Mon Aug 19 19:01:03 EDT 2002
I have been using arpwatch I was hoping that I could get snort to do the
Matt Kettler wrote:
> Quite frankly, I'd recommend using arpwatch if you want a good
> "automatic IP address change" detector. Very verbose output,
> automatically monitors all arps and logs new/changed IPs. Snort's
> arpspoof plugin is fairly new, and not quite that feature-rich yet.
> Functional, but not feature-rich.
> At 10:37 AM 8/20/2002 +1200, Morgan Marquis-Boire wrote:
>> Does anyone know how to get more verbose logging from the arpspoof
>> detection? My conf file is as follows:
>> preprocessor arpspoof
>> preprocessor arpspoof_detect_host: <localhost> <MAC address>
>> preprocessor arpspoof_detect_host: <gateway> <MAC address>
>> and the alerts I get read as follows.
>> 08/20-10:02:01.671517 [**] [112:3:1] Ethernet destination/ARP target
>> address mismatch [**]
>> I would like to be able to get the ip address of the host whose MAC
>> has changed in the alert.
>> This sf.net email is sponsored by: OSDN - Tired of that same old
>> cell phone? Get a new here for FREE!
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
More information about the Snort-users