Snort and arp spoofing
-
i see in the 'Sticky: Snort package FAQ: Please read before posting' that:
Wireless security monitoring (Work not started)
- Detection of ARP spoofing
- Detection of brutforcing attempts (Im confident I can do this, but may not happen)
is possible to work with arp spoofing in pfsense now? (another way?)
thx, sorry for my english…
JuanjoA -
Read the snort user manual there is a section that deals with arp spoofing.
James
-
thx, i wild see it
juanjoA
-
Hello again…
In the pfsense gui --> snort --> advanced --> Advanced configuration pass through
Here i can add the lines i need for detect arp spoofing over my gw, i.e.:
preprocessor arpspoof
preprocessor arpspoof_detect_host:192.168.1.1 00:11:22:33:44:55
This modify /cf/config/config.xml and this add the lines to the /usr/local/etc/snort/snort.conf (reboot is needed)
The problem is how to indicate new line in the advanced configuration field.
I tried br, br/, /n, (with <>, i dont know how to scape in this text) press intro, but when i press 'save' the carriage return disappears and the lines are joined. In the snort.conf also are joined and dont work.
any ideas?
thanks
juanjoA -
This is an Experimental preprocessor.
You need to compile the arp spoofing preprocessor and place it in the /usr/local/lib/snort/dynamicpreprocessor dir.
read up on the format you need also.
http://books.google.com/books?id=M9plZZxJB_UC&pg=PA288&lpg=PA288&dq=preprocessor+arpspoof&source=bl&ots=pK6vklChN2&sig=_GMQYY0EHdvBNMXgSOdJlE4_Eys&hl=en&ei=bbOmSvPoMY-oswOZ0sjHBQ&sa=X&oi=book_result&ct=result&resnum=7#v=onepage&q=preprocessor%20arpspoof&f=false
James
-
thanks for your help.
But when i add the lines:
preprocessor arpspoof
preprocessor arpspoof_detect_host:192.168.1.1 00:11:22:33:44:55
in snort.conf, i see, in alerts the arp attacks. Snort detects this attacks, but even reboot the snort.conf restart with default config and dont persist the manual changes.
If is necesary compile the prepocessor por experimental preprocessors, i should learn more.thx again for your time and your great work!
-
I'm at work so cant talk much.
Yes, after every reboot snort.conf get remade.
You will have to add your changes to snort.inc to make your changes permanent.
Good news, if your seeing that attack you do not need to recompile prepocessor.
James