[Snort-devel] ARPSpoof.

From: Andrew Tan <andtan_sg(at)hotmail.com>
Date: Sun Feb 15 2004 - 20:58:49 EST

Hi,
Arpspoof only detects the last entry in the configuration preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E preprocessor arpspoof_detect_host: 10.1.1.2 00:D0:B7:44:9E:03

Got the folowing alerts when i spoofed 10.1.1.2

[**] [112:4:1] Attempted ARP cache overwrite attack [**]
[Classification : Unknown]

02/10/04-09:18:10.017010 10.1.1.2 -> 10.1.1.2

[**] Attempted ARP cache overwrite attack [**]
02/10/04-09:18:10.017010 ARP who-has 10.1.1.4 tell 10.1.1.2

But when i tried to spoof 10.1.1.1 it did not raise me any alert.

I modified the snort.conf to have the following

preprocessor arpspoof
preprocessor arpspoof_detect_host: 10.1.1.1 00:D0:59:26:85:5E

Now i got the following alerts

[**] [112:4:1] Attempted ARP cache overwrite attack [**]
[Classification : Unknown]

02/10/04-09:23:38.733957 10.1.1.1 -> 10.1.1.1

[**] Attempted ARP cache overwrite attack [**]
02/10/04-09:23:38.733957 ARP reply 10.1.1.1 is-at 0:D:59:26:85:5E

Feel like it alerts only the last host in the list Wlked through the code of spp_arpspoof.c. Couldn't identify where the alerting goes wrong. Cananyone help me on this.

This works the same with the older versions of snort too...(snort-2.0.2) Regards,
Tan.

---

Get 10mb of inbox space with MSN Hotmail Extra Storage http://join.msn.com/?pgmarket=en-sg

---

SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sun Feb 15 21:05:49 2004