Snort mailing list archives
Re: Barnyard2/Base MAC Address from PCAP
From: Gordon Wallum <gordon_wallum () otowfl com>
Date: Wed, 3 Jan 2018 20:22:53 +0000
Thanks for the info wkitty I can find the MAC addresses in the Snort unified2 log, but when barnyard2 inputs the logs into SQL it doesn’t store the layer2 MAC data and instead uses a bogus hardcoded one Is there any way to achieve this? I found an article explaining the same problem http://seclists.org/snort/2010/q3/562 Description of problem if unclear: Using snort in IDS mode with logs stored as snort.u2 (binary log) Using barnyard2 to transfer logs to SQL Using BASE to view SQL logs through HTML gui When I download the pcap data an alert from BASE the MAC addresses is not stored correctly Thank you, Gordon Wallum Network Security Administrator Information Technology Department On Top of the World Communities & Related Entities P 352.873.0848 x.7412 F 352.861.9569 9860 SW 84 Court, Suite D, Ocala, FL 34481 OnTopoftheWorld.com Please consider the environment before printing this e-mail or other documents. The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any. -----Original Message----- From: Snort-users [mailto:snort-users-bounces () lists snort org] On Behalf Of wkitty42 () windstream net Sent: Wednesday, January 03, 2018 10:36 AM To: snort-users () lists snort org Subject: Re: [Snort-users] Barnyard2/Base MAC Address from PCAP On 01/03/2018 09:18 AM, Gordon Wallum wrote:
Looking to pull layer 2 information from Barnyard2/BASE PCAP file The mac addresses are just showing as fake place holders: de:ad:ca:fe:ba:be and 11:22:33:44:55:66 Anyway to capture this information form base without having to go into the unified2 log?
i don't know about your problem but remember that MACs are only good for the 1st hop... they are changed as the packet travels through each intermediate device... what you receive that originates outside may not have MAC info if you're more than one hop inside your perimeter... you're definitely one hop because of your router... i see similar, too, when working with PPP connections, for example... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP Gordon Wallum (Jan 03)
- Re: Barnyard2/Base MAC Address from PCAP wkitty42 (Jan 03)