snort 2.1.0 bugs ?

[Koay Yee Chen <yc_koay () yahoo com sg>]

Hi,

Analysing snort-2.1.0 on Debian GNU/Linux 2.2, facing problems with the following:
 
1. arpspoof is not alerting properly when detected. 
Say there are more than one IP/MAC address in the table. It always alerts only for the last item in the list, 
eventhough the ARP frame is detected for that particular IP/MAC.
I checked the code spp_arpsoof.c for LookupIPMAcEntry()
IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list,
        u_int32_t ipv4_addr)
{
    IPMacEntryListNode *current;
    if (ip_mac_entry_list == NULL)
        return NULL;
    for (current = ip_mac_entry_list->head; current != NULL; current = current->next)
    {
        if (current->ip_mac_entry->ipv4_addr == ipv4_addr)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,   
                    "MODNAME: LookupIPMecEntryByIP() match!"););     
            return current->ip_mac_entry;
        }
    }
    return NULL;
}
The matching of the IP/MAC address in the table is clear, but couldnt understand why it always report for the last node 
in the list. As am new to snort, couldnt explore much how snort detects these packets and logs it. 
Even tried with the patch from http://oasis.uptsoft.com/~devnull/spp_arpspoof.c. Snort dies because it says that the 
arpspoof_detect_host is not recognised by it. I know that this is like dynamic creation of these preprocessors on the 
packets on threshold basis. But say if i manually wanted to configure a particular IP/MAC then how do i do it?. Please 
do give your suggestions on this.
 
2. The alerting mechanism for rules look different between snort-2.0.5 and snort-2.1.0. Some of the rules does not 
raise alerts, even though the packet matches the rule criteria.

B.Regards,
Koay

 Y! Asia presents Lavalife
- Get clicking with thousands of local singles today!