[Snort-users] arpspoof preprocessor

Morgan Marquis-Boire morganm at ...6655...
Mon Aug 19 19:01:03 EDT 2002


Thanks.
I have been using arpwatch I was hoping that I could get snort to do the 
  same thing.
Ah well...

Morgan

Matt Kettler wrote:
> Quite frankly, I'd recommend using arpwatch if you want a good 
> "automatic IP address change" detector. Very verbose output, 
> automatically monitors all arps and logs new/changed IPs. Snort's 
> arpspoof plugin is fairly new, and not quite that feature-rich yet. 
> Functional, but not feature-rich.
> 
> At 10:37 AM 8/20/2002 +1200, Morgan Marquis-Boire wrote:
> 
>> Hey,
>> Does anyone know how to get more verbose logging from the arpspoof 
>> detection? My conf file is as follows:
>> preprocessor arpspoof
>> preprocessor arpspoof_detect_host: <localhost> <MAC address>
>> preprocessor arpspoof_detect_host: <gateway> <MAC address>
>>
>> and the alerts I get read as follows.
>>
>> 08/20-10:02:01.671517  [**] [112:3:1] Ethernet destination/ARP target 
>> address mismatch [**]
>>
>> I would like to be able to get the ip address of the host whose MAC 
>> has changed in the alert.
>>
>> Cheers,
>> Morgan
>>
>>
>>
>> -------------------------------------------------------
>> This sf.net email is sponsored by: OSDN - Tired of that same old
>> cell phone?  Get a new here for FREE!
>> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list