[Snort-users] arp spoof

John Sage jsage at ...2022...
Fri Jun 28 06:01:01 EDT 2002


On Fri, Jun 28, 2002 at 05:48:03AM +0300, john wrote:
> hi everybody
>  i am new in using snort , when i read the arpspoof preprocessor i cant understand its role from those brief words in the snort.conf file is here another way to learn more about it and the other preprocessors other than snort manual
> 
> any help is appreciated.........

<snip>
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use
# of this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 

# preprocessor arpspoof
# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# keep off as from 1.8.2
<snip>

umm..

ARP requests translate a hardware (NIC) address into an IP address.

If you don't understand this, you probably don't need to worry, as
there may be other fish to fry before you concern yourself with this sort
of thing.

Note that it does say "experimental", too..

If you *do* want to understand this, and a whole lot of other important
stuff, you can't go wrong with"

TCP/IP Illustrated, vol.1, W.R. Stevens, Addison-Wesley, 1994


- John
-- 
"You are in a little maze of twisty passages, all different."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the Snort-users mailing list