[Snort-users] anything wrong with arpspoof preprocessor?

Shoelace yc_koay at ...5310...
Sun Feb 8 07:51:02 EST 2004


Hi,
 
Noticed that arpspoof only detects the last entry in the configuration. 
Does anyone have same problem?
 
my configuration looks like this:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15
 
Test Scenario 1:
I fired same attack to these two machines. Result : I am only seeing alerts for 192.168.4.239 but not 192.168.4.153.
 
Test Scenario 2:
I conduct a second test with configuration:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
 
Same attack fired, but I am able to detect 192.168.4.153 this time.
 
Test Scenario 3:
I moved 192.168.4.239 above 192.168.4.153. Configuration look like this:
 
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.4.239 00:02:B3:AC:E1:15
preprocessor arpspoof_detect_host: 192.168.4.153 00:0D:56:54:75:D4
 
I am seeing alerts for 192.168.4.153 but not 192.168.4.239 now. 
 
Is there anything wrong with my configuration? 


 Y! Asia presents Lavalife
- Get clicking with thousands of local singles today!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040208/9f21d7cf/attachment.html>


More information about the Snort-users mailing list