From: Tom Peters (thopeter) <thopeter@cisco.com>
Date: Tue, 9 Nov 2021 22:35:48 +0000 (+0000)
Subject: Pull request #3154: US 708162: Timebox: Built-in rule documentation - arp_spoof
X-Git-Tag: 3.1.17.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=764c58589685f8739bde891b9520232378663679;p=thirdparty%2Fsnort3.git

Pull request #3154: US 708162: Timebox: Built-in rule documentation - arp_spoof

Merge in SNORT/snort3 from ~MDAGON/snort3:arp_builtins to master

Squashed commit of the following:

commit d30a49cf87f55af799a2bf8a0bf6003cf0df38e0
Author: Maya Dagon <mdagon@cisco.com>
Date:   Mon Nov 8 14:19:07 2021 -0500

    doc: arp_spoof builtins
---

diff --git a/doc/reference/builtin_stubs.txt b/doc/reference/builtin_stubs.txt
index 93304e9f7..467503734 100644
--- a/doc/reference/builtin_stubs.txt
+++ b/doc/reference/builtin_stubs.txt
@@ -40,19 +40,20 @@ Zero-length RPC fragment.
 
 112:1
 
-(arp_spoof) unicast ARP request
+ARP request is unicast, not broadcast.
 
 112:2
 
-(arp_spoof) ethernet/ARP mismatch request for source
+Mismatch between ethernet source hardware address and ARP source hardware address.
 
 112:3
 
-(arp_spoof) ethernet/ARP mismatch request for destination
+Mismatch between ethernet destination hardware address and ARP destination hardware address in an ARP reply.
 
 112:4
 
-(arp_spoof) attempted ARP cache overwrite attack
+Attempted ARP cache overwrite attack. The ethernet source hardware address or ARP source hardware address 
+doesn't match the one provided for this IP address in the configured host table.
 
 116:1
 
diff --git a/src/network_inspectors/arp_spoof/arp_module.cc b/src/network_inspectors/arp_spoof/arp_module.cc
index b2955cc44..9f5804a29 100644
--- a/src/network_inspectors/arp_spoof/arp_module.cc
+++ b/src/network_inspectors/arp_spoof/arp_module.cc
@@ -29,9 +29,9 @@ using namespace snort;
 #define ARPSPOOF_UNICAST_ARP_REQUEST_STR \
     "unicast ARP request"
 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC_STR \
-    "ethernet/ARP mismatch request for source"
+    "ethernet/ARP mismatch for source hardware address"
 #define ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST_STR \
-    "ethernet/ARP mismatch request for destination"
+    "ethernet/ARP mismatch for destination hardware address in reply"
 #define ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK_STR \
     "attempted ARP cache overwrite attack"