Re: Writing a rule to trigger on a spoofed mac address

["Dawson,Scottie" <scottie.Dawson () ColoState EDU>]

Thanks Adam.

 

http://www.infosecramblings.com/2008/12/02/snort-base-mysql-and-a-deadcafeba
be/

 

scott

From: Dawson,Scottie [mailto:scottie.Dawson () colostate edu] 
Sent: Tuesday, October 20, 2009 10:18 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Writing a rule to trigger on a spoofed mac address

 

Snort folks

 

I have gotten some alerts recently on traffic triggered by "Emerging Threats
Trojan Bot - potential reptile commands".  When we looked at the PCAP file
we saw that the mac address on both ends of the conversation was spoofed
11:22:33:44:55:66 and de:ad:ca:fe:ba:be.  I am wondering if it's possible to
write a rule that triggers on either one of those mac address's?  I was
reading in the snort manual and I see potential reasons why this is not
possible such as the protocols portion of the alert (page 92).  If it is
possible could you guys point me in the right direction?  

 

scott

 

 

Scott Dawson
ACNS Network Security
970-297-3712

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users