Re: SNORT: MAC Address Alert

[Jordan Wiens <jwiens () nersp nerdc ufl edu>]

Sorry couple of typos in that line the first time.  Corrected below.
Should be:

tcpdump -i wlan0 -c 1 -l '(ether host BA:DC:AB:BE:DE:AD) or (ether host BA:DC:AB:BE:22:22)' | mail -s "MAC alert" 
myphone () mycarrier com

Of course, that's more of a one-off notification.  If you want to keep a
constant watch, the other suggest of dumping the data to a file and having
another script monitor the file for changes is more effective in the long
term, but this is simpler for a quickie.

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Thu, 18 Sep 2003, Jordan Wiens wrote:

> You could do that with snort, or you could more simply use tcpdump.  If
> you have a machine with a wireless card and a network card, simply use
> tcpdump and have it log all packets from those MACs and send the output to
> a script that mails your phone.
>
> Assuming wlan0 is the wireless interface,
>
> tcpdump -i wlan0 -c 2-l '(ether host BA:DC:AB:BE:DE:AD) or (ether host BA:DC:AB:BE:22:22)' | mail -s They are back 
> myphone () mycarrier com

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------