<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><span style="line-height: 21.2999992370605px; color: rgb(68, 68, 68); font-size: 15px; background-color: rgba(255, 255, 255, 0);">My Snort is up & running and loads of events are being logged. After weeding out some false positives, I wanted to test the arpspoof preprocessor. </span><BR><p style="line-height: 21.2999992370605px; margin-bottom: 1.35em; color: rgb(68, 68, 68); font-size: 15px; box-sizing: border-box; background-color: rgb(255, 255, 255);"><span style="line-height: 21.2999992370605px; background-color: rgba(255, 255, 255, 0);">So I enabled:</span></p><pre class="ecxipsCode ecxprettyprint ecxprettyprinted" style="line-height: 21.2999992370605px; color: rgb(68, 68, 68); font-size: 15px; box-sizing: border-box; overflow: auto; clear: both; padding: 15px !important; border-width: 0px 0px 0px 4px !important; border-left-style: solid !important; border-left-color: rgb(224, 224, 224) !important; background-color: rgb(255, 255, 255);"><font face="UICTFontTextStyleBody" style="line-height: normal;"><span style="line-height: 21.2999992370605px; white-space: normal; background-color: rgba(255, 255, 255, 0);"><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;">preprocessor arpspoof preprocessor arpspoof_detect_host</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;"> </span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">192.168</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">.</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">1.1</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;"> </span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">58</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">6d</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">8f</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;">a0</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">40</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">7f</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;"> preprocessor arpspoof_detect_host</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;"> </span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">192.168</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">.</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">1.3</span><span class="ecxpln" style="line-height: 21.2999992370605px; box-sizing: border-box;"> d4</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">3d</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">7e</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">38</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">37</span><span class="ecxpun" style="line-height: 21.2999992370605px; box-sizing: border-box;">:</span><span class="ecxlit" style="line-height: 21.2999992370605px; box-sizing: border-box;">4d</span></span></font></pre><p style="line-height: 21.2999992370605px; margin-bottom: 1.35em; color: rgb(68, 68, 68); font-size: 15px; box-sizing: border-box; background-color: rgb(255, 255, 255);"><span style="line-height: 21.2999992370605px; background-color: rgba(255, 255, 255, 0);">And ran a arp attack using ettercap. The problem is that these events do not show up in my winids (and neither in mysql database). It seems to be a similar problem to this: <a href="http://seclists.org/snort/2012/q1/99" rel="external nofollow" target="_blank" style="line-height: 21.2999992370605px; font-weight: inherit; color: rgb(0, 104, 207); cursor: pointer; box-sizing: border-box;">http://seclists.org/snort/2012/q1/99</a></span></p><p style="line-height: 21.2999992370605px; margin-bottom: 1.35em; color: rgb(68, 68, 68); font-size: 15px; box-sizing: border-box; background-color: rgb(255, 255, 255);"><span style="line-height: 21.2999992370605px; background-color: rgba(255, 255, 255, 0);">Now, Ive checked my barnyard output window, and the ettercap events DO show up there, they are just not shown in the BASE UI. My feeling is thus that it is a formatting issue: the arpspoof preprocessor outputs the events in a format which barnyard cannot log to mysql OR which are incompatible with the BASE interface. What I dont know is how I can solve this. </span></p>                                    </div></body>
</html>