Re: Writing a rule to trigger on a spoofed mac address

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Hi Scott,

I don't believe that the MAC addresses you are seeing are the real addresses.  My understanding is that Snort / 
Barnyard (or BASE?) doesn't record them in the database and these are just made up values in the pcap file.

Shawn

________________________________
From: Dawson,Scottie [mailto:scottie.Dawson () ColoState EDU]
Sent: Tuesday, October 20, 2009 9:18 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Writing a rule to trigger on a spoofed mac address

Snort folks

I have gotten some alerts recently on traffic triggered by "Emerging Threats Trojan Bot - potential reptile commands".  
When we looked at the PCAP file we saw that the mac address on both ends of the conversation was spoofed 
11:22:33:44:55:66 and de:ad:ca:fe:ba:be.  I am wondering if it's possible to write a rule that triggers on either one 
of those mac address's?  I was reading in the snort manual and I see potential reasons why this is not possible such as 
the protocols portion of the alert (page 92).  If it is possible could you guys point me in the right direction?

scott


Scott Dawson
ACNS Network Security
970-297-3712

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users