[Snort-users] ARPspoof Question

Michael Esposito michael.esposito at ...5338...
Wed Sep 24 05:58:08 EDT 2003


I'm trying to get the arpspoof preprocessor to work properly.
I've been using Snort 1.83 on W2K.

I have the following in my snort.conf:

preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 192.168.0.1 00:00:d4:7d:3a:58


unicast ARP request alerts show up in ACID but they do not appear in the
ARP file under c:\snort\logs

Partial output from my ARP file:

09/21-23:56:06.589086 ARP reply 0.0.0.0 is-at 0:B B:99:F:95
09/21-23:56:07.545926 ARP who-has 0.0.0.0 tell 0.0.0.0
09/21-23:56:08.598975 ARP reply 0.0.0.0 is-at 0:B B:99:F:95


It was working for a while, but now I can't get it to log to this file
anymore.

Any suggestions?

Thanks,

michael 

________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!




More information about the Snort-users mailing list