Re: Mac-Address

[Andrew Fox <andrewfox312 () gmail com>]

Try adding:

config decode_data_link

to snort.conf

Source: http://manual.snort.org/node58.html


On Mon, Aug 19, 2013 at 8:40 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:

> yes , no problem.
> so how can i save this extra information in snort database ? should i
> change the configuration ?
>
> Regards
>
>
> 2013/8/19 Joel Esler <jesler () sourcefire com>
>
> > You probably won’t get the mac address of the host.  You will only get
> > the mac address of the device that last handled the packet before Snort saw
> > it.
> >
> >
> > On Aug 19, 2013, at 9:08 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:
> >
> > Thanks.
> >
> > So what i need is to save in snort database, when an attack is deteckted,
> > the mac-addresses of host.
> > So how can i do that ?
> >
> > Regards,
> > Abid
> >
> >
> > 2013/8/19 Joel Esler <jesler () sourcefire com>
> >
> > > Snort can dump the last mac address that it sees when it sniffs the
> > > packet, use the “-e” command line tag.
> > >
> > > --
> > > *Joel Esler*
> > > Senior Research Engineer, VRT
> > > OpenSource Community Manager
> > > Sourcefire
> > >
> > > On Aug 19, 2013, at 6:30 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:
> > >
> > > Hi,
> > >
> > > can snort show the mac-address of hosts , with oder instead of the
> > > ip-address?
> > >
> > > Regards,
> > > Abid
> > >
> > > ------------------------------------------------------------------------------
> > > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > > It's a free troubleshooting tool designed for production.
> > > Get down to code-level detail for bottlenecks, with <2% overhead.
> > > Download for free and get started troubleshooting in minutes.
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!