[Snort-users] preprocessor arpspoof, help!

Daniel Ascensão dpla at ...11214...
Sun Feb 15 10:35:02 EST 2004


Yes I know what the RTFM is!! I tried find information about this 
particular pre-processor and I didn’t found any in the manual. The only 
information that I found is in config file.

I’m sry to you all if this is an idiot question.

Daniel Ascensão



>At 17:53 15-02-2004, you wrote:
>>There is some documentation to be found in the docs directory of snort.
>>
>>Snort Manual.
>>
>>This is also found online.
>>
>>Do you know what a search engine is?  Do you know what RTFM is?
>>
>>
>>RE: Snortsnarf alert logging.
>>
>>Are you logging alerts?
>>
>>J.
>>
>>
>>:> -----Original Message-----
>>:> From: snort-users-admin at lists.sourceforge.net
>>:> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf
>>:> Of Daniel Ascensão
>>:> Sent: Sunday, February 15, 2004 7:55 AM
>>:> To: snort-users at lists.sourceforge.net
>>:> Subject: [Snort-users] preprocessor arpspoof, help!
>>:>
>>:>
>>:> Hi,
>>:>
>>:> I'm trying to use the arpspoof preprocessor but I have some
>>:> questions. First where can I find some documentation about it?
>>:>
>>:> I’m not sure how does it work, I have this conf. In the
>>:> arpspoof: preprocessor arpspoof preprocessor
>>:> arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34
>>:> preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81
>>:>
>>:> if I get any arp package that match this mapping I get the
>>:> following log:
>>:>
>>:> [**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite
>>:> attack [**] 02/14-16:41:14.553565
>>:>
>>:> And if the arp request or reply doesn’t match it’s dropped silently.
>>:> However, what I want to do with the preprocessor is to have
>>:> an alert when I
>>:> have arp request that didn’t match the mapping and possibly drop it.
>>:>
>>:> Another question, this “alerts” don’t appear in SnortSnarf
>>:> reports, why?
>>:>
>>:> Thks in advance
>>:>
>>:> Daniel Ascensão
>>:>
>>:>
>>:>
>>:> -------------------------------------------------------
>>:> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
>>:> Build and deploy apps & Web services for Linux with
>>:> a free DVD software kit from IBM. Click Now!
>>:> http://ads.osdn.com/?ad_id56&alloc_id438:> &opÌk
>>:>
>>:> _______________________________________________
>>:>
>>:> Snort-users mailing list
>>:> Snort-users at lists.sourceforge.net
>>:> Go to this URL to change user options or unsubscribe:
>>:> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users
>>:>
>>:>
>>:> Snort-users list archive:
>>:> http://www.geocrawler.com/redir-sf.php3?list
>>:>





More information about the Snort-users mailing list