Snort mailing list archives
RE: Alert Based on MAC Address
From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 21 Mar 2002 17:47:14 -0500
Am I misunderstanding the content keyword or is there another way to
accomplish this? hmmm...I don't think snort in IDS mode can help you here. The MAC lives in the link-level header and the content keyword looks in the packet payload. You may want to consider crafting something up with snort in sniffer mode (or tcpdump) using the filter option. i.e. # snort -v ether host <Enter your MAC here> This would trigger output anytime snort came across a packet with the MAC in question. Hope this helps.. - Jeff _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert Based on MAC Address Bamberger, Marc (M.A.) (Mar 21)
- Re: Alert Based on MAC Address Matt Kettler (Mar 21)
- <Possible follow-ups>
- RE: Alert Based on MAC Address Wirth, Jeff (Mar 21)
- RE: Alert Based on MAC Address Bamberger, Marc (M.A.) (Mar 26)