Error Alert could not be found in acid_event.

[fahmiff]

sorry to bother you all, i trying to check arp spoofing on my winids system so i'm active the prepocrule used to detect arp spoofing. the rule look like this :

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

 

and it work it shown and give alert on barnyard2 & visual syslog server it give alert like this :

05/16-13:31:06.553294  [**] [112:4:1] spp_arpspoof: ARP Cache Overwrite Attack [**]

 

but the alert can't show on BASE it give error on BASE, the error look like this :

"D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:776: ERROR: 
3 alerts have NOT found their way into acid_event with sid = 4"
"D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:521: ERROR: Alert "4 - 9618" could NOT be found in acid_event"

 

what should i do to fix the error and make the alert can shown on BASE? 

thank you so much

- Fahmi

[Morpheus]

What is the process you used and I'll check it on another build.

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

[fahmiff]

57 minutes ago, Morpheus said:

 

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

No, i don't add that rule on my local.rules file, because that rule already active in preprocessor.rules in folder d:\winids\snort\preproc_rules.

what i do is configure my snort.config file, im delete the # on this line and change the host ip address :

# ARP spoof detection.  For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.43.79 f0:0f:00:f0:0f:00

 

i'm generate the alert usinh angry ip scanner to scan the ip address and port address.

thank you so much.

[fahmiff]

On 5/16/2019 at 7:31 PM, Morpheus said:

What is the process you used and I'll check it on another build.

Did you just add the below to your local.rules file?

alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )

Did you use something to generate the alert?

 

i'm already try to add that rule to the local.rule but the same error "ERROR: 1 alerts have NOT found their way into acid_event with sid = 4 " are still appear.