Snort mailing list archives
Re: Logging MAC address with snort, barnyard2 & MySQL
From: David Guimaraes <skysbsb () gmail com>
Date: Sun, 22 Aug 2010 18:34:57 -0300
I searched about this some time ago, also without finding answers .. The only way I found to recover the MACs of hosts, is going directly to the file unified2 snort, and run the following statement: $ cd /var/log/snort # Generate the pcap format from unified2 output log $ barnyard2 -c barn-pcap-log.conf -o snort2.ethX.u2.XXXX -l /var/log/snort/tcpdumps # Filter only the finding packet $ tcpdump -e -n -r tcpdump.log.XXXX host WWW and port ZZZ and host XXX # Barnyard2 pcap output file $ cat barn-pcap-log.conf config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config reference_file: /etc/snort/reference.config config sid_file: /etc/snort/sid-msg.map input unified2 output log_tcpdump: tcpdump.log Or, of course, change the code of the database output plugin of barnyard2 to include the ethernet frame packet logs in the database and change BASE to interprete the ethernet frame. On Fri, Aug 20, 2010 at 11:11 AM, Guillaume Blanc <guillaume.b.blanc () gmail com> wrote:
Hello everyone, I’m actually trying to get the MAC address of the IP showed in snort alert, but when I download the pcap packet from BASE the only mac address that i’ve got are 11:22:33:44:55:66 and de:ad:ca:fe:ba:be (dead:cafe:babe)… I’ve searched around and found the option -e to activate in snort. But no more result. I also use barnyard2 and i tried to activate the same option. I’ve found this post who was really interesting "http://www.infosecramblings.com/2008/12/02/snort-base-mysql-and-a-deadcafebabe/" And in the comment someone said it was possible with barnyard2 apparently. Do you have any clue on i can have those MAC addresses ? Thank You ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- David Gomes Guimarães ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Logging MAC address with snort, barnyard2 & MySQL Guillaume Blanc (Aug 20)
- Re: Logging MAC address with snort, barnyard2 & MySQL David Guimaraes (Aug 22)