Re: Snorting the MAC address

[SkatFiend () aol com]

This is correct so long as we are talking about a straight layer 2 switch 
only. However, many environments are now using multi-layer switches. For 
example a Cisco 6509 with a MSFC (Multifunction Switch Feature Card), in 
other words a router on a card. The moment a packet requires routing through 
the MSFC the MAC address  will be re-written to the MAC (bia - burned in 
address) of the MSFC. So, even between VLAN's on a local network your packet 
when it reaches its destination will have the MAC of the last layer 3 device 
it travered.

Cliff

In a message dated 4/11/2002 7:35:36 PM Eastern Daylight Time, 
mkettler () evi-inc com writes:


> Switches will pass mac information along. They are a pure ethernet level 
> device, and thus do not modify the packet contents, they just make 
> inteligent choices about what ethernet port a packet should go out of. But 
> you are correct in that a router will not pass MAC information, all packets 
>
> coming out of a router will have the MAC address of the router interface.
>
> If you really want to track IP spoofing on your local network, Arpwatch is 
> by *far* a better tool for the job. (as has been mentioned on this list ad 
> naseum). It's even designed to notice when the MAC of an IP address changes 
> :)
>
>
> FAQ maintainers: Here's another FAQ entry that should be added :)
>
> Q: Can snort log the MAC addresses of packets?
> --------------------
> A: Since snort is generally designed to detect attacks coming into a 
> network from the internet the MAC address information is not useful, since 
> it will always be the MAC address of the gateway router. If you wish to 
> detect IP spoofing and keep track of IP to MAC information for your local 
> network, Arpwatch is an ideal tool for the job.
>
>
>
> (so how many drinks is it for suggesting a question be added to the FAQ?)
>
>
>
> At 03:26 PM 4/11/2002 -0700, Turner Ryan S CONT KPWA wrote:
> > yeah, there is a good reason. Routers don't pass MAC addresses along with
> > the packet. And hackers are usually more than a few routers away from you.
> > So logging MAC addresses would only work within your network. I think
> > Switches don't even pass MAC information, not positive though. So in that
> > case getting the MAC would only work for computers on the same switch(or
> > hub) as snort, which is relatively pointless unless your troubleshooting
> > something.  There might be some way to enable it in Snort, but it would
> > serve very limited purposes.
> >
> > -----Original Message-----
> > From: Nate Haggard [mailto:nate () wordplace com]
> > Sent: Thursday, April 11, 2002 3:02 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Snorting the MAC address
> >
> >
> > Snort grabs IPs, and that is great until someone tries to spoof their
> > IP.  Is there anyway to get snort to log both the IP and MAC address.
> >
> > Does anyone know what part of the code to look at for this feature?
> >
> > Maybe there is a good reason snort doesn't log the MAC and I'm just
> > clueless.
> >
> >
> > Thanks
> > --
> > Nate Haggard, nate () wordplace com on 04/11/2002
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users