[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Arpspoof Preproc failed
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists ! snort ! org>
Date: 2020-04-27 19:34:14
Message-ID: 1B592E38-E43E-43B5-8CCD-86C79B23B661 () cisco ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Hello,
Some info on the arpspoof preprocessor is listed here: \
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000.
An event should look like below for unicast ARP (in the pcap).
debian9@debian9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/arpspoof.conf -r \
~/Downloads/arp.pcap -Acmg -k none -q
Arpspoof IPMacEntry List Size: 1
192.168.40.1 -> f0:0f:00:f0:0f:00
Arpspoof IPMacEntry List Size: 2
192.168.40.1 -> f0:0f:00:f0:0f:00
192.168.40.2 -> f0:0f:00:f0:0f:01
11/10-21:00:25.652633 [**] [112:1:1] (spp_arpspoof) Unicast ARP request [**]
The settings used were:
debian9@debian9:/var/tmp/snort-2.9.15$ cat etc/arpspoof.conf | grep arp
preprocessor arpspoof: -unicast
preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01
The conf and pcap are attached.
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi@cisco.com<mailto:allewi@cisco.com>
From: Snort-sigs <snort-sigs-bounces@lists.snort.org> on behalf of Alius Fr via \
Snort-sigs <snort-sigs@lists.snort.org>
Reply-To: Alius Fr <luff0999@gmail.com>
Date: Monday, April 27, 2020 at 1:42 PM
To: "snort-sigs@lists.snort.org" <snort-sigs@lists.snort.org>
Subject: [Snort-sigs] Arpspoof Preproc failed
Hi community.
I'm new on Snort. I'm trying to setup it for a college's lab. They asked me to \
install and setup Snort to detect an arpspoof attack. I did what I could but I have \
no alerts after doing the attack from a kali linux machine and l lost connection that \
it means it doesn't work. Do you have somme documentation about it ? There are lot of \
video tutorials about Snort but nobody talk about arpspoof configuration. I'd really \
appreciate your help.
Thank you in advance.
[Attachment #5 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Hebrew";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Courier;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:Courier">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-family:Courier">Some \
info on the arpspoof preprocessor is listed here: <a \
href="http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000">
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION003215000000000000000</a>.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier">An event should look like \
below for unicast ARP (in the pcap).<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">debian9@debian9:/var/tmp/snort-2.9.15$ ./bin/snort -c \
etc/arpspoof.conf -r ~/Downloads/arp.pcap -Acmg -k none -q<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier">Arpspoof IPMacEntry List \
Size: 1<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">192.168.40.1 -> \
f0:0f:00:f0:0f:00<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">Arpspoof IPMacEntry List Size: \
2<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">192.168.40.1 -> \
f0:0f:00:f0:0f:00<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">192.168.40.2 -> \
f0:0f:00:f0:0f:01<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">11/10-21:00:25.652633 [**] [112:1:1] (spp_arpspoof) \
Unicast ARP request [**]<o:p></o:p></span></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier">The settings used \
were:<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">debian9@debian9:/var/tmp/snort-2.9.15$ cat \
etc/arpspoof.conf | grep arp<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier">preprocessor arpspoof: -unicast<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier">preprocessor \
arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier">preprocessor \
arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:Courier">The conf and pcap are \
attached.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-family:Courier"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><b><span \
style="font-size:13.0pt;font-family:Courier;color:#1F497D">Albert \
Lewis</span></b><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#7F7F7F">ENGINEER.SOFTWARE \
ENGINEERING</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:12.0pt;font-family:Courier;color:#999999">Cisco Systems \
Inc.</span><span style="color:black"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-family:Courier;color:#999999">Email: </span><span \
style="font-family:Courier;color:black"><a href="mailto:allewi@cisco.com"><span \
style="color:purple">allewi@cisco.com</span></a></span><span \
style="font-family:Courier;color:#4F81BD"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p> </div>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:Courier"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Snort-sigs \
<snort-sigs-bounces@lists.snort.org> on behalf of Alius Fr via Snort-sigs \
<snort-sigs@lists.snort.org><br> <b>Reply-To: </b>Alius Fr \
<luff0999@gmail.com><br> <b>Date: </b>Monday, April 27, 2020 at 1:42 PM<br>
<b>To: </b>"snort-sigs@lists.snort.org" \
<snort-sigs@lists.snort.org><br> <b>Subject: </b>[Snort-sigs] Arpspoof Preproc \
failed<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hi community. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm new on Snort. I'm trying to setup it for a college's lab. \
They asked me to install and setup Snort to detect an arpspoof attack. I did what I \
could but I have no alerts after doing the attack from a kali linux machine and l \
lost connection that it means it doesn't work. Do you have somme documentation about \
it ? There are lot of video tutorials about Snort but nobody talk about arpspoof \
configuration.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal">I'd really appreciate your help. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you in advance. <o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>
["arp.pcap" (application/octet-stream)]
["arpspoof.conf" (application/octet-stream)]
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic