[Snort-users] Re: ARP Spoof does not show MAC
Stephen W. Thompson
thompson+snort at ...1016...
Fri Apr 2 07:36:11 EST 2004
"Kim Wall" <kwall at ...10348...> wrote:
> I was hoping someone can clue me in on what is happening. I am using
> Snort with packet sampling. I currently have my entire network sending
> sampled packets to a single Snort sensor. Obviously, I have had to trim
> the rules files in order to make sense in a sampled environment. I have
> recently configured ARP Spoof, but the alerts in the alert file do not
> include the MAC address of the offending datagram (the one performing
> ARP poisoning).
I discovered similar behavior last week, by chance. Even with the
-e and the -X flags, I could not get "snort -dv 'arp'" to show the
MAC addresses, and I, too, was trying to understand ARP poisoning.
I switched to tcpdump (with "-v -v -n -l -x -e -s 2000" flags) and
found that it *did* show MAC addresses, even for packets saved by snort
and for which snort still did not show MACs. So for now, I use tcpdump
for that situation (and for non IP traffic), and snort otherwise.
(Yeah, I could throw ethereal into the mix, too...)
However, after that work, I return to a theme that's been mentioned
several times before in this forum. When analyzing MACs on a subnet,
arpwatch may be a more appropriate tool than snort. [Caveat: I've not
used the plugins for snort such as ARP Spoof yet.]
More information about the Snort-users