Snort not Alert- arp spoofing



  • Hi Every body
    I need Your Help
    i configured snort.conf like below:

    preprocessor arpspoof
    preprocessor arpspoof_detect_host: 192.168.93.1  00:50:56:C0:00:08
    preprocessor arpspoof_detect_host: 192.168.93.129  00:0C:29:BD:FF:A8
    preprocessor arpspoof_detect_host: 192.168.93.130  00:0C:29:92:11:4B

    i installed Snort on this machine : 192.168.93.1 and its runnig …

    and Cain is Working on 192.168.93.130 and is arp Spoofing between 192.168.93.1  and  192.168.93.129

    and Showing all of username and password ...
    BUt Snort not alerting  :(

    another attack like nmap scaning work correctlly and Snort detect them...but not detect this arp posioning...
    what i have to Do?



  • @hadishb:

    Hi Every body
    I need Your Help
    i configured snort.conf like below:

    preprocessor arpspoof
    preprocessor arpspoof_detect_host: 192.168.93.1  00:50:56:C0:00:08
    preprocessor arpspoof_detect_host: 192.168.93.129  00:0C:29:BD:FF:A8
    preprocessor arpspoof_detect_host: 192.168.93.130  00:0C:29:92:11:4B

    i installed Snort on this machine : 192.168.93.1 and its runnig …

    and Cain is Working on 192.168.93.130 and is arp Spoofing between 192.168.93.1  and  192.168.93.129

    and Showing all of username and password ...
    BUt Snort not alerting  :(

    another attack like nmap scaning work correctlly and Snort detect them...but not detect this arp posioning...
    what i have to Do?

    Anything you directly hand-edit in snort.conf is overwritten and discarded the next time Snort is restarted or if you save any other changes in the GUI.  The snort.conf file is automatically generated by the system.  Never attempt to hand-edit the snort.conf file.

    Currently, if you want to use this preprocessor, you must put your edits in the "Advanced Pass-Through" text box on the INTERFACE edit tab for the applicable interface.  This way your changes will be written to snort.conf and be persistent.

    Bill



  • Thanks For Your Answer….
    I Solved This Problem...
    The alert of Preprecessor was Disable by # ...
    I DisComment and The alart  apeared...



  • @hadishb:

    Thanks For Your Answer….
    I Solved This Problem...
    The alert of Preprecessor was Disable by # ...
    I DisComment and The alart  apeared...

    Yes, but your change in the file will be lost when Snort is auto-restarted (say by an update, for example).  Each auto-restart calls a function in the GUI code that writes a new snort.conf file.

    If you want your change for the ARP preprocessor to "stick", you must do it the way I described using the "Advanced Configuration Pass-Through" box on the INTERFACES tab for the Snort interface in question.

    Bill



  • Yes..Exactly :)

    is any way to log Attacker's Ip address in Alert Log?
    in NIDS mode doesn't Show IP address and only show like this:

    [] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack []
    07/01-20:29:08.615513

    i want to know Attacker's ip address and Block it as soon as posssible …is any way?



  • @hadishb:

    Yes..Exactly :)

    is any way to log Attacker's Ip address in Alert Log?
    in NIDS mode doesn't Show IP address and only show like this:

    [] [112:4:1] (spp_arpspoof) Attempted ARP cache overwrite attack []
    07/01-20:29:08.615513

    i want to know Attacker's ip address and Block it as soon as posssible …is any way?

    Unfortunately, no there is no way.  It's not how that preprocessor works.

    Bill



  • Thanks For Your Kindly Helping Dear <3

    Thank YOu  :)


Log in to reply