[Snort-users] preprocessor arpspoof
mkettler at ...4108...
Mon Aug 16 13:04:15 EDT 2004
At 11:14 AM 8/16/2004, Juan Fernandez wrote:
>Do I need to insert each mac address of a server that I want to monitor
>for arp poisoning?
>If for example I have 50 servers on the DMZ that I want them to be
>monitored for arp attacks, do I need to enter all there ips+mac addresses
Yes.. although I'd suggest using arpwatch instead.. it's a much better tool
for this kind of thing, and requires no configuration. It will keep track
of ARPs, report new stations, report changes of MAC, bogus IP addresses,
IPs that keep "flip-flopping" between two MACs, etc. It's a very handy tool.
The arpspoof preprocessor is handy if you only have one or two hosts to
monitor, but if you've got lots of hosts, it's cumbersome.
More information about the Snort-users