[Snort-users] How to detect massive ARPing from Ettercap?

twig les twigles at ...131...
Fri Sep 27 10:15:02 EDT 2002


Hey *, my latest spare-time toy is ettercap
(ettercap.sourceforge.net), which among many other
things, can map its subnet in about 10 seconds thru
massive arping.  Unfortunately my snort box didn't see
this happening.  More accurately, it saw it but didn't
generate any alerts.  I know it saw it because I ran
tcpdump on the snort box also.

Is there a way to catch this in 1.8.7?  I saw a post
this week about setting thresholds for rules (100 arps
in 10 seconds = alert), but I'm curious....

=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com




More information about the Snort-users mailing list