[Snort-users] Snort capturing ARP packets

David dwad24 at ...722...
Fri May 28 22:13:01 EDT 2004


 Hey SGT b, You could use the arp command on a unix or linux box and pipe it through a few other commands and cut and paste the output into your snort.conf file.... This is a messy way of doing it:(assuming your arp -a output is the same as mine!)  unixbox#  arp -a | tail -5 | tr -s ' ' ' ' | cut -f2,4 -d' ' 192.168.1.1 00:01:03:63:83:2b192.168.1.2 00:04:25:df:cf:55192.168.1.3 00:06:23:dd:96:3f etc. hope that helps! Dave--- On Fri 05/28, sgt_b < sgt_b at ...11733... > wrote:From: sgt_b [mailto: sgt_b at ...11733...]To: snort-users at ...7753...: Fri, 28 May 2004 13:47:55 -0500Subject: [Snort-users] Snort capturing ARP packetsHey everyone,Under what circumstances would Snort capture (or alert on) ARP packets? Is the arpspoof preprocessor the only thing that would trigger an alert based on an ARP packet?From snort.conf:"To make use of this preprocessor you must specify the IP and hardware address of hosts on the same layer 2 segment as you."Does this mean that in order for arpsoof to work, one has to statically map all IP-MAC pairs? Seems like a lot of work for little return. ;)Thanks!-------------------------------------------------------This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click_______________________________________________Snort-users mailing listSnort-users at ...7448... to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040528/981fd69d/attachment.html>


More information about the Snort-users mailing list