[Snort-users] arp preprocessor

Daniel Ascensão zyxmail at ...11221...
Mon Feb 16 06:42:09 EST 2004


Hi,

I'm trying to use the arpspoof preprocessor but I have some questions.
First where can I find some documentation about it?

I’m not sure how does it work, I have this conf. In the arpspoof:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.0.99.153 0:30:84:ee:c4:34
preprocessor arpspoof_detect_host: 10.0.255.254 0:30:48:12:66:81

if I get any arp package that match this mapping I get the following log:

[**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**]
02/14-16:41:14.553565

And if the arp request or reply doesn’t match it’s dropped silently. 
However, what I want to do with the preprocessor is to have an alert when I 
have arp request that didn’t match the mapping and possibly drop it.

Another question, this “alerts” don’t appear in SnortSnarf reports, why?

Thks in advance

Daniel Ascensão 





More information about the Snort-users mailing list