[Snort-users] preprocessor arpspoof, help!
dpla at ...11214...
Sun Feb 15 06:59:00 EST 2004
I'm trying to use the arpspoof preprocessor but I have some questions.
First where can I find some documentation about it?
Im not sure how does it work, I have this conf. In the arpspoof:
preprocessor arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34
preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81
if I get any arp package that match this mapping I get the following log:
[**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**]
And if the arp request or reply doesnt match its dropped silently.
However, what I want to do with the preprocessor is to have an alert when I
have arp request that didnt match the mapping and possibly drop it.
Another question, this alerts dont appear in SnortSnarf reports, why?
Thks in advance
More information about the Snort-users