[Snort-users] [Snort-Users] [Snort]: can we use it to detect ARP cache poisoning

Kevin Ross kevross33 at ...14012...
Mon Jul 25 03:54:24 EDT 2011

You want to use the arpspoof preprocessor in the snort.conf configuration
file. Snort generally detects attacks at higher levels in the OSI model and
usually isn't ideal for detecting datalink layer attacks such as arp
spoofing and so on.

Regards, Kevin

2.2.12 ARP Spoof Preprocessor
The ARP spoof preprocessor decodes ARP packets and detects ARP attacks,
unicast ARP requests, and inconsistent
Ethernet to IP mapping.
When no arguments are specified to arpspoof, the preprocessor inspects
Ethernet addresses and the addresses in the
ARP packets. When inconsistency occurs, an alert with GID 112 and SID 2 or 3
is generated.
When ”-unicast” is specified as the argument of arpspoof, the preprocessor
checks for unicast ARP requests. An
alert with GID 112 and SID 1 will be generated if a unicast ARP request is
Specify a pair of IP and hardware address as the argument to arpspoof detect
host. The host with the IP address
should be on the same layer 2 segment as Snort is. Specify one host IP MAC
combo per line. The preprocessor will
use this list when detecting ARP cache overwrite attacks. Alert SID 4 is
used in this case.
preprocessor arpspoof[: -unicast]
preprocessor arpspoof_detect_host: ip mac
Option Description
ip IP address.
mac The Ethernet address corresponding to the preceding IP.
Example Configuration
The first example configuration does neither unicast detection nor ARP
mappingmonitoring. The preprocessormerely
looks for Ethernet address inconsistencies.
preprocessor arpspoof
The next example configuration does not do unicast detection but monitors
ARP mapping for hosts and
preprocessor arpspoof
preprocessor arpspoof_detect_host: f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: f0:0f:00:f0:0f:01
The third example configuration has unicast detection enabled.
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: f0:0f:00:f0:0f:01

On 24 July 2011 19:07, subh singh <subh.singh007 at ...11827...> wrote:

> hi all,
> I want some suggestion about ARP cache poisoning. How can we mitigate/
> prevent ARP cache poisoning attack using snort and which module is
> responsible for same.
> Can we add some more features to Snort to work over ARP cache
> poisoning.
> --regards
> subhash
> --
> To post to this group, send email to snortusers at ...14071...
> For more information, please visit http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110725/de27a9df/attachment.html>

More information about the Snort-users mailing list