[Snort-users] preprocessor arpspoof, help!

Daniel Ascensão dpla at ...11214...
Sun Feb 15 06:59:00 EST 2004


I'm trying to use the arpspoof preprocessor but I have some questions.
First where can I find some documentation about it?

I’m not sure how does it work, I have this conf. In the arpspoof:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 0:30:84:ee:c4:34
preprocessor arpspoof_detect_host: 0:30:48:12:66:81

if I get any arp package that match this mapping I get the following log:

[**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**]

And if the arp request or reply doesn’t match it’s dropped silently. 
However, what I want to do with the preprocessor is to have an alert when I 
have arp request that didn’t match the mapping and possibly drop it.

Another question, this “alerts” don’t appear in SnortSnarf reports, why?

Thks in advance

Daniel Ascensão 

More information about the Snort-users mailing list