Re: Arp Poisoning

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

You should be able to use the ARP preprocessor to detect the MAC address changes/spoofing.

The preprocessor settings are listed in the users guide.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Vinukshan Pathmanathan via Snort-sigs <snort-sigs 
() lists snort org>
Reply-To: Vinukshan Pathmanathan <vinukshan98 () gmail com>
Date: Saturday, May 2, 2020 at 10:11 PM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: [Snort-sigs] Arp Poisoning

Hey everyone, I'm nee to using snort and tried to detect an ongoing ettercap arp poisoning attack using snort. Could 
anyone guide me on the rule used for it. TIA

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!