[Snort-users] ARPspoof preprocessor, barnyard, & BASE

Michael B miboe60 at ...125...
Thu Apr 23 11:01:47 EDT 2015


My Snort is up & running and loads of events are being logged. After weeding out some false positives, I wanted to test the arpspoof preprocessor. 
So I enabled:preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.1.1 58:6d:8f:a0:40:7f preprocessor arpspoof_detect_host: 192.168.1.3 d4:3d:7e:38:37:4dAnd ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: http://seclists.org/snort/2012/q1/99Now, Ive checked my barnyard output window, and the ettercap events DO show up there, they are just not shown in the BASE UI. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql OR which are incompatible with the BASE interface. What I dont know is how I can solve this.  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150423/1f018838/attachment.html>


More information about the Snort-users mailing list