Re: Logging MAC address with snort, barnyard2 & MySQL

[David Guimaraes <skysbsb () gmail com>]

I searched about this some time ago, also without finding answers ..

The only way I found to recover the MACs of hosts, is going directly
to the file unified2 snort, and run the following statement:

$ cd /var/log/snort
# Generate the pcap format from unified2 output log
$ barnyard2 -c barn-pcap-log.conf -o snort2.ethX.u2.XXXX -l
/var/log/snort/tcpdumps

# Filter only the finding packet
$ tcpdump -e -n -r tcpdump.log.XXXX host WWW and port ZZZ and host XXX

# Barnyard2 pcap output file
$ cat barn-pcap-log.conf
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config reference_file:      /etc/snort/reference.config
config sid_file:                /etc/snort/sid-msg.map
input unified2
output log_tcpdump: tcpdump.log

Or, of course, change the code of the database output plugin of
barnyard2 to include the ethernet frame packet logs in the database
and change BASE to interprete the ethernet frame.

On Fri, Aug 20, 2010 at 11:11 AM, Guillaume Blanc
<guillaume.b.blanc () gmail com> wrote:
> Hello everyone,
>
> I’m actually trying to get the MAC address of the IP showed in snort alert,
> but when I download the pcap packet from BASE the only mac address that i’ve
> got are 11:22:33:44:55:66 and de:ad:ca:fe:ba:be (dead:cafe:babe)…
>
> I’ve searched around and found the option -e to activate in snort. But no
> more result. I also use barnyard2 and i tried to activate the same option.
>
> I’ve found this post who was really interesting
> "http://www.infosecramblings.com/2008/12/02/snort-base-mysql-and-a-deadcafebabe/";
>
> And in the comment someone said it was possible with barnyard2 apparently.
> Do you have any clue on i can have those MAC addresses ?
>
> Thank You
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
David Gomes Guimarães

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users