[Snort-users] preprocessor arpspoof

Matt Kettler mkettler at ...4108...
Mon Aug 16 13:04:15 EDT 2004


At 11:14 AM 8/16/2004, Juan Fernandez wrote:
>Do I need to insert each mac address of a server that I want to monitor 
>for arp poisoning?
>
>If for example I have 50 servers on the DMZ that I want them to be 
>monitored for arp attacks, do I need to enter all there ips+mac addresses 
>here?

Yes.. although I'd suggest using arpwatch instead.. it's a much better tool 
for this kind of thing, and requires no configuration. It will keep track 
of ARPs, report new stations, report changes of MAC, bogus IP addresses, 
IPs that keep "flip-flopping" between two MACs, etc. It's a very handy tool.


The arpspoof preprocessor is handy if you only have one or two hosts to 
monitor, but if you've got lots of hosts, it's cumbersome.








More information about the Snort-users mailing list