Direction detection with mac address filtering

[Martin Olsson <elof () sentor se>]

Hi all!

I just came up with an idea that I think would be nice if it was
integrated into snort. Please give comments.

One big problem for many people is monitoring several different home
networks. Stating just one net in $HOME_NET is ok. A list of two or
three networks might work too, but when you have 20 different networks you
are forced to set $HOME_NET to "any". This implies that $EXTERNAL_NET will
also be set to "any". All logged alerts will then be based on an "any to
any"-criteria, which mean that you manually have to determine wether the
alert originated from the intranet or from some external address.

If one could specify variables as $EXTERNAL_MAC, $HOME_MAC, $DMZ1_MAC,
$DMZ2_MAC, etc, and use them to filter packets based on their
source and destination MAC-address, then in effect we could detect the
direction of a single packet or a flow even in the "any to any"-criteria.

I guess you would have to add two new fields to all rules, src-mac and
dst-mac:

type  proto src-mac dst-mac       src-ip    port   dst-ip        port
------------------------------------------------------------------------
alert udp   any  -> $EXTERNAL_MAC $HOME_NET any -> $EXTERNAL_NET 53  ...

This rule evaluates into:
alert udp   any  -> 001122334455  any       any -> any           53  ...

This rule would only trigger on packets going *out*...

Is this possible? Is it useful enough for the developers to implement it?

/Martin



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users