Re: arpspoof unicast arp request from where?

[Jeff Nathan <jeff () snort org>]

This is an excellent question.

Normally, you would use the logged packet to determine the source of the 
alert (We're working under the assumption that alert messages are basically 
static).

At the moment spp_arpspoof doesn't pass the packet that triggered the alert 
to the alerting functions but I'll remedy that ASAP.

-Jeff

--On Thursday, July 11, 2002 13:32:42 -0500 robin 
<mstubbs () facstaff wisc edu> wrote:

> Hello. I upgraded to using snort 1.8.7 on openbsd 3.1 I configured
> arpspoof thusly: arpspoof: -unicast
> so then it produced some alerts that look like this:
> "date-time [**] [112:1:1] unicast ARP request [**]"
> well how do I know where that is coming from? Is there a way to get more
> information about this like the MAC address and IP address? Is this logged
> somewhere?
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
http://jeff.wwti.com            (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- Albert Einstein

Attachment: _bin
Description: