Snort mailing list archives

Differentiate between host with same IP but different MAC

From: Will Higdon <higdons () hotmail com>
Date: Thu, 11 Aug 2016 20:36:24 +0000

This may have been answered but we need help finding the answer:

We have three networks containing multiple cloned hosts (200+ hosts per network) with the same IP addresses and 
hostnames but different MAC addresses
For example
Net 1
Hostname           IPAddr                  MacAddr
Server1                16.5.4.3                11:23:14:AA:BB:SS

Net 1
Hostname           IPAddr                  MacAddr
Server1                16.5.4.3                11:23:18:AA:BB:TT


Net 1
Hostname           IPAddr                  MacAddr
Server1                16.5.4.3                11:23:00:AA:BB:RR

All traffic from each network is sent to/through one data aggregator to the Snort sensor
How do we filter inside the sensor to differentiate between the servers?

Extra information: We use Snort connectors to get the alerts to the SIEM

Thank you
/Ian

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Differentiate between host with same IP but different MAC Will Higdon (Aug 11)