Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Barnyard2/Base MAC Address from PCAP

From: Gordon Wallum <gordon_wallum () otowfl com>
Date: Wed, 3 Jan 2018 20:22:53 +0000
Thanks for the info wkitty

I can find the MAC addresses in the Snort unified2 log, but when barnyard2 inputs the logs into SQL it doesn’t store 
the layer2 MAC data and instead uses a bogus hardcoded one

Is there any way to achieve this? I found an article explaining the same problem

http://seclists.org/snort/2010/q3/562


Description of problem if unclear:
        Using snort in IDS mode with logs stored as snort.u2 (binary log)
        Using barnyard2 to transfer logs to SQL
        Using BASE to view SQL logs through HTML gui
        When I download the pcap data an alert from BASE the MAC addresses is not stored correctly

Thank you,



Gordon Wallum


Network Security Administrator
Information Technology Department


On Top of the World Communities & Related Entities
P 352.873.0848 x.7412   F 352.861.9569
9860 SW 84 Court, Suite D, Ocala, FL 34481
OnTopoftheWorld.com



 
 Please consider the environment before printing this e-mail or other documents.

The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The 
information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the 
intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this 
transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by 
reply e-mail or phone and delete this message and its attachments, if any. 


-----Original Message-----
From: Snort-users [mailto:snort-users-bounces () lists snort org] On Behalf Of wkitty42 () windstream net
Sent: Wednesday, January 03, 2018 10:36 AM
To: snort-users () lists snort org
Subject: Re: [Snort-users] Barnyard2/Base MAC Address from PCAP

On 01/03/2018 09:18 AM, Gordon Wallum wrote:

Looking to pull layer 2 information from Barnyard2/BASE PCAP file

The mac addresses are just showing as fake place holders: 
de:ad:ca:fe:ba:be and
11:22:33:44:55:66

Anyway to capture this information form base without having to go into 
the
unified2 log?



i don't know about your problem but remember that MACs are only good for the 1st hop... they are changed as the packet 
travels through each intermediate device... what you receive that originates outside may not have MAC info if you're 
more than one hop inside your perimeter... you're definitely one hop because of your router... i see similar, too, when 
working with PPP connections, for example...


--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.* _______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: