Snort mailing list archives
Arp Preprocessor Patch
From: José Diogo via Snort-devel <snort-devel () lists snort org>
Date: Thu, 11 Oct 2018 17:23:37 +0100
Hi, This is a patch for the ARP preprocessor to produce more detailed messages regarding the ARP Cache Override Attacks. The patch adds the following information to the default message: SHA (Sender Hardware Address), SPA (Sender Protocol Address), THA (Target Hardware Address) and TPA (Target Protocol Address) as defined in the ARP protocol message. This way, instead of getting a somewhat ambiguous default message (i.e (spp_arpspoof) Attempted ARP cache overwrite attack), it produces something like: "(spp_arpspoof) Attempted ARP cache overwrite attack, Mismatch mapping aa:aa:aa:aa:aa:aa <-> 172.27.248.1, sha bb:bb:bb:bb:bb:bb, spa 172.27.248.1, tha cc:cc:cc:cc:cc:cc, tpa 172.27.248.213”. Let me know your feedback
Attachment:
spp_arpspoof.c.diff
Description:
Best Regards, José Monteiro
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Arp Preprocessor Patch José Diogo via Snort-devel (Oct 11)
- Re: Arp Preprocessor Patch José Diogo via Snort-devel (Oct 30)