|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] ARP Spoof does not show MAC
From: Kim Wall (kwall
foundrynet.com)
Date: Wed Mar 31 2004 - 19:41:28 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I was hoping someone can clue me in on what is happening. I am using
Snort with packet sampling. I currently have my entire network sending
sampled packets to a single Snort sensor. Obviously, I have had to trim
the rules files in order to make sense in a sampled environment. I have
recently configured ARP Spoof, but the alerts in the alert file do not
include the MAC address of the offending datagram (the one performing
ARP poisoning).
Here's what the line looks like in the alert log (in version 2.01 as
well as 2.1.1):
[**] [112:1:1] (spp_arpspoof) Unicast ARP request [**]
03/31-19:28:39.000000
I have started with a simple IP/MAC pair to play with:
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 1.2.3.4 00:04:80:ee:11:00
I am using sFlowtool to reconstruct the original packets and pipe them
into Snort:
sflowtool -p 6343 -t | snort -c /etc/snort/snort.conf -e -d -X -w -r -
In the sFlow datagram, all of the information exists in the original
packet (MAC, IP etc.) and is reconstructed properly before being piped
into Snort. Any ideas on what is going on? Are there any L2 plug-ins
available that allow creating a rule with L2 info?
Thanks!
Kim
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.647 / Virus Database: 414 - Release Date: 3/29/2004
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]