Snort mailing list archives

Re: Snorting the MAC address

From: James Hoagland <hoagland () SiliconDefense com>
Date: Thu, 11 Apr 2002 16:49:15 -0700

At 4:01 PM -0600 4/11/02, Nate Haggard wrote:

Snort grabs IPs, and that is great until someone tries to spoof their
IP.  Is there anyway to get snort to log both the IP and MAC address.

Does anyone know what part of the code to look at for this feature?

Maybe there is a good reason snort doesn't log the MAC and I'm just
clueless.

Acknowledging the limitations others have pointed out, the answer toyour question is the snort -e option.


        -e         Display the second layer header info

I've found the MAC information useful; it can help you figure outnetwork topology. Also if you know the MAC of your router, you cansanity check that a packet came through there rather than having alocal origin.


Best regards,

  Jim
--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snorting the MAC address Nate Haggard (Apr 11)
- Re: Snorting the MAC address Erek Adams (Apr 11)
- Re: Snorting the MAC address Jason Yates (Apr 11)
- Re: Snorting the MAC address James Hoagland (Apr 11)
- <Possible follow-ups>
- RE: Snorting the MAC address Turner Ryan S CONT KPWA (Apr 11)
- RE: Snorting the MAC address Matt Kettler (Apr 11)
- Re: Snorting the MAC address SkatFiend (Apr 12)