fahmiff

Error Alert could not be found in acid_event.

4 posts in this topic

sorry to bother you all, i trying to check arp spoofing on my winids system so i'm active the prepocrule used to detect arp spoofing. the rule look like this :

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

 

and it work it shown and give alert on barnyard2 & visual syslog server it give alert like this :

05/16-13:31:06.553294  [**] [112:4:1] spp_arpspoof: ARP Cache Overwrite Attack [**]

 

but the alert can't show on BASE it give error on BASE, the error look like this :

"D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:776: ERROR: 
3 alerts have NOT found their way into acid_event with sid = 4"
"D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:521: ERROR: Alert "4 - 9618" could NOT be found in acid_event"

 

what should i do to fix the error and make the alert can shown on BASE? 

thank you so much

- Fahmi

Share this post


Link to post
Share on other sites

What is the process you used and I'll check it on another build.

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

fahmiff likes this

Share this post


Link to post
Share on other sites
57 minutes ago, Morpheus said:

 

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

No, i don't add that rule on my local.rules file, because that rule already active in preprocessor.rules in folder d:\winids\snort\preproc_rules.

what i do is configure my snort.config file, im delete the # on this line and change the host ip address :

# ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.43.79 f0:0f:00:f0:0f:00

 

i'm generate the alert usinh angry ip scanner to scan the ip address and port address.

thank you so much.

Share this post


Link to post
Share on other sites
On 5/16/2019 at 7:31 PM, Morpheus said:

What is the process you used and I'll check it on another build.

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

i'm already try to add that rule to the local.rule but the same error "ERROR: 1 alerts have NOT found their way into acid_event with sid = 4 " are still appear. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now