Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to detect massive ARPing from Ettercap?

From: twig les <twigles () yahoo com>
Date: Fri, 27 Sep 2002 10:14:38 -0700 (PDT)
Hey *, my latest spare-time toy is ettercap
(ettercap.sourceforge.net), which among many other
things, can map its subnet in about 10 seconds thru
massive arping.  Unfortunately my snort box didn't see
this happening.  More accurately, it saw it but didn't
generate any alerts.  I know it saw it because I ran
tcpdump on the snort box also.

Is there a way to catch this in 1.8.7?  I saw a post
this week about setting thresholds for rules (100 arps
in 10 seconds = alert), but I'm curious....

=====
-----------------------------------------------------------
Heavy metal made me do it.                        
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: