Snort mailing list archives
RE: Snorting the MAC address
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 11 Apr 2002 19:14:40 -0400
Switches will pass mac information along. They are a pure ethernet level device, and thus do not modify the packet contents, they just make inteligent choices about what ethernet port a packet should go out of. But you are correct in that a router will not pass MAC information, all packets coming out of a router will have the MAC address of the router interface.
If you really want to track IP spoofing on your local network, Arpwatch is by *far* a better tool for the job. (as has been mentioned on this list ad naseum). It's even designed to notice when the MAC of an IP address changes :)
FAQ maintainers: Here's another FAQ entry that should be added :) Q: Can snort log the MAC addresses of packets? --------------------A: Since snort is generally designed to detect attacks coming into a network from the internet the MAC address information is not useful, since it will always be the MAC address of the gateway router. If you wish to detect IP spoofing and keep track of IP to MAC information for your local network, Arpwatch is an ideal tool for the job.
(so how many drinks is it for suggesting a question be added to the FAQ?) At 03:26 PM 4/11/2002 -0700, Turner Ryan S CONT KPWA wrote:
yeah, there is a good reason. Routers don't pass MAC addresses along with the packet. And hackers are usually more than a few routers away from you. So logging MAC addresses would only work within your network. I think Switches don't even pass MAC information, not positive though. So in that case getting the MAC would only work for computers on the same switch(or hub) as snort, which is relatively pointless unless your troubleshooting something. There might be some way to enable it in Snort, but it would serve very limited purposes. -----Original Message----- From: Nate Haggard [mailto:nate () wordplace com] Sent: Thursday, April 11, 2002 3:02 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snorting the MAC address Snort grabs IPs, and that is great until someone tries to spoof their IP. Is there anyway to get snort to log both the IP and MAC address. Does anyone know what part of the code to look at for this feature? Maybe there is a good reason snort doesn't log the MAC and I'm just clueless. Thanks -- Nate Haggard, nate () wordplace com on 04/11/2002 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting the MAC address Nate Haggard (Apr 11)
- Re: Snorting the MAC address Erek Adams (Apr 11)
- Re: Snorting the MAC address Jason Yates (Apr 11)
- Re: Snorting the MAC address James Hoagland (Apr 11)
- <Possible follow-ups>
- RE: Snorting the MAC address Turner Ryan S CONT KPWA (Apr 11)
- RE: Snorting the MAC address Matt Kettler (Apr 11)
- Re: Snorting the MAC address SkatFiend (Apr 12)