Snort mailing list archives
Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 17 Jun 2003 00:14:28 -0500
On Mon, 2003-06-16 at 23:23, Atul Shrivastava wrote:
The feature is such that we can make rule based on the MAC address. I mean to say that I will make a pool of valid MAC addresses and then if any of the MAC addresses doesn't match with this MAC address pool then a alert has been generated for that. For that it is required to add one more preprocessor and then in that preprocessor we have to manually add the MAC addresses. Is it possible, because this feature is not there in any of the leading IDS.
To discover new MAC addresses, use arpwatch. It is not the role of an IDS to detect new MACs.
This feature solves the problem that if anyone comes to your internal LAN physically with this laptop and then plugs his laptop into the internal LAN and takes a valid IP from some employess on personal basis and try to copy some important and confidential data from the network or try to do something illegal in the network, if this feature is there then he bill be caught by that thing.
Keep in mind that the rogue laptop would have to be plugged into the same broadcast domain as the IDS, otherwise you won't detect the new MAC address. You can however detect new IP addresses and you can detect illegal activity. It you are concerned about ARP spoofing, I believe Jeff's arpspoof preprocessor takes care of that. Don't try to put too many functions in one piece of software. Instead, create an arsenal of tools dedicated to certain tasks. Snort does not detect when your hard drives run out of disk space either. Sometimes I get the feeling that people want to put too much functionality into one device, and try to shape it like a silver bullet. It won't work. (Firewalls and access control and IDS and virus scanning and content management and PKI and identity management and network forensics..... all in one box? ;) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- New Feature based on MAC address filterig (Possible !!!!!) Atul Shrivastava (Jun 17)
- Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!) Frank Knobbe (Jun 16)
- Re: Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!) David Alonso De La Vega Tapage (Jun 17)
- Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!) Michael Boman (Jun 16)
- Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!) Frank Knobbe (Jun 16)