Snort mailing list archives
arpspoof preprocessor and barnyard2 \ BASE issue
From: cnuddep () rogers com
Date: Tue, 17 Jan 2012 13:02:33 -0800 (PST)
Greetings I have enabled the arpspoof preprocessor in my snort.conf file: preprocessor arpspoof preprocessor arpspoof_detect_host: 10.0.0.1 00:aa:bb:cc:dd:ee when I run snort and output alerts to the console, then launch an arpspoof attack everything works as expected snort -c snort.conf -A console .... 01/17-15:46:44.675601 [**] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack [**] ... However, if I fire up barnyard2 it does not insert the alerts into the mysql\snort database running on the same box, although it inserts events into the event table. I have tested other rules and preprocessors and alerts from them get inserted without issue. An error message also shows up in BASE while the arpspoof attack is underway which resembles this: /var/www/base/includes/base_cache.inc.php:521: ERROR: Alert "1 - 1217" could NOT be found in acid_event. Does anyone have any thoughts on what might be going on here? Thanks in advance ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- arpspoof preprocessor and barnyard2 \ BASE issue cnuddep (Jan 17)