Posted May 16, 2019 sorry to bother you all, i trying to check arp spoofing on my winids system so i'm active the prepocrule used to detect arp spoofing. the rule look like this : alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) and it work it shown and give alert on barnyard2 & visual syslog server it give alert like this : 05/16-13:31:06.553294 [**] [112:4:1] spp_arpspoof: ARP Cache Overwrite Attack [**] but the alert can't show on BASE it give error on BASE, the error look like this : "D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:776: ERROR: 3 alerts have NOT found their way into acid_event with sid = 4" "D:\winids\Apache24\htdocs\base\includes\base_cache.inc.php:521: ERROR: Alert "4 - 9618" could NOT be found in acid_event" what should i do to fix the error and make the alert can shown on BASE? thank you so much - Fahmi Share this post Link to post Share on other sites
Posted May 16, 2019 What is the process you used and I'll check it on another build. Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert? fahmiff likes this Share this post Link to post Share on other sites
Posted May 16, 2019 57 minutes ago, Morpheus said: Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert? No, i don't add that rule on my local.rules file, because that rule already active in preprocessor.rules in folder d:\winids\snort\preproc_rules. what i do is configure my snort.config file, im delete the # on this line and change the host ip address : # ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.43.79 f0:0f:00:f0:0f:00 i'm generate the alert usinh angry ip scanner to scan the ip address and port address. thank you so much. Share this post Link to post Share on other sites
Posted May 21, 2019 On 5/16/2019 at 7:31 PM, Morpheus said: What is the process you used and I'll check it on another build. Did you just add the below to your local.rules file? alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) Did you use something to generate the alert? i'm already try to add that rule to the local.rule but the same error "ERROR: 1 alerts have NOT found their way into acid_event with sid = 4 " are still appear. Share this post Link to post Share on other sites
