Snort mailing list archives
Re: Writing a rule to trigger on a spoofed mac address
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Tue, 20 Oct 2009 10:42:37 -0600
Hi Scott, I don't believe that the MAC addresses you are seeing are the real addresses. My understanding is that Snort / Barnyard (or BASE?) doesn't record them in the database and these are just made up values in the pcap file. Shawn ________________________________ From: Dawson,Scottie [mailto:scottie.Dawson () ColoState EDU] Sent: Tuesday, October 20, 2009 9:18 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Writing a rule to trigger on a spoofed mac address Snort folks I have gotten some alerts recently on traffic triggered by "Emerging Threats Trojan Bot - potential reptile commands". When we looked at the PCAP file we saw that the mac address on both ends of the conversation was spoofed 11:22:33:44:55:66 and de:ad:ca:fe:ba:be. I am wondering if it's possible to write a rule that triggers on either one of those mac address's? I was reading in the snort manual and I see potential reasons why this is not possible such as the protocols portion of the alert (page 92). If it is possible could you guys point me in the right direction? scott Scott Dawson ACNS Network Security 970-297-3712
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing a rule to trigger on a spoofed mac address Dawson,Scottie (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jefferson, Shawn (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jack Pepper (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Adam Richards (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Dawson,Scottie (Oct 20)
- Re: Writing a rule to trigger on a spoofed mac address Jefferson, Shawn (Oct 20)