Re: mystery arp message

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Man...

all this knocking of spp_arpspoof.

So I'm happy to FIX it or even update it to do new things if people would 
like it to things within the context of snort (I've thought about plugging 
it into spp_conversation for just that purpose).

For the purposes of logging, snort uses fixed messages for everything so 
the actual log output will never show the addresses in question.  (This is 
true for all similar messages at this point).

With regard to 1.9 the necessary change of passing the offending packet to 
the alert functions.   So, just like all other alerts in snort, you'll now 
have the packet that set off the alert to get all the little goodies out of.

- -Jeff


- --On Sunday, October 06, 2002 21:32:21 -0500 Chris Reining 
<creining () packetfu org> wrote:

> There has been no significant changes in spp_arpspoof from 1.8.7 to 1.9.
> It is *usable* but probably is not going to generate the data you are
> looking for. I would recommend using arpwatch standalone.
>
> -Chris
> go badgers
>
> On Thu, 03 Oct 2002 19:02:58 -0500
> robin <mstubbs () facstaff wisc edu> wrote:
>
> > I got several messages from snort like this:
> > [112:3:1] Ethernet destination/ARP target address mismatch [**]
> > The problem being that I  would like to know something about the
> > packet such as what address it
> > came from. Is there a version of snort where this issue has been
> > fixed? I think I'm using 1.87
> > Otherwise can someone recommend another program that could detect the
> > same kind of issue?
> > Thanks!
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://www.snort.org/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
    
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9oPbgEqr8+Gkj0/0RAilsAKCCEMYSvGWCkL9x3BrL9F05hjhFQACdEprx
ZA9Ij8Me9QtMBsbvBQ9/XfE=
=pN/j
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users