Snort mailing list archives

RE: Alert Based on MAC Address

From: "Wirth, Jeff" <WirthJe () DNB com>
Date: Thu, 21 Mar 2002 17:47:14 -0500

Am I misunderstanding the content keyword or is there another way to

accomplish this?

hmmm...I don't think snort in IDS mode can help you here.  The MAC lives in
the link-level header and the content keyword looks in the packet payload.
You may want to consider crafting something up with snort in sniffer mode
(or tcpdump) using the filter option.

i.e. # snort -v ether host <Enter your MAC here> 

This would trigger output anytime snort came across a packet with the MAC in
question.

Hope this helps..

- Jeff

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alert Based on MAC Address Bamberger, Marc (M.A.) (Mar 21)
- Re: Alert Based on MAC Address Matt Kettler (Mar 21)
- <Possible follow-ups>
- RE: Alert Based on MAC Address Wirth, Jeff (Mar 21)
- RE: Alert Based on MAC Address Bamberger, Marc (M.A.) (Mar 26)