Re: Mac-Address

[Abid Ayoub <abid.ayoub () gmail com>]

Hi,

i am listning on a ethernet interface. and this is what i get in the
snort.u2.xx when a new attack happened:

(Event)
 sensor id: 0 event id: 1 event second: 1377070239 event microsecond: 132395
 sig id: 10010001 gen id: 1 revision: 1  classification: 0
 priority: 0 ip source: x.x.x.x ip destination: x.x.x.x
 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
 sensor id: 0 event id: 1 event second: 1377070239
 packet second: 1377070239  packet microsecond: 132395
 linktype: 1 packet_length: 98
[    0] 3C D9 2B 64 14 4C 00 0C 29 CD 76 9F 08 00 45 00  <.+d.L..).v...E.
[   16] 00 54 00 00 40 00 40 01 B0 DD C0 A8 04 78 C0 A8  .T..@.@......x..
[   32] 04 03 08 00 7B 14 78 25 00 01 9F 6C 14 52 64 03  ....{.x%...l.Rd.
[   48] 02 00 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15  ................
[   64] 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
[   80] 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35  &'()*+,-./012345
[   96] 36 37                                            67

So, am i doing something wrong ? how can i get also the  Mac-Addresses ?

Regards,
Abid



2013/8/21 beenph <beenph () gmail com>

> On Wed, Aug 21, 2013 at 4:07 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:
> > HI,
> >
> > Thanks Andrew.
> >
> > config decode_data_link will replace -e in snort command.
> > The Mac-address will be printed on the screen but it will not be saved in
> > the snort.u2.xxx file.
>
> The mac address is saved in the file if your listening on a ethernet
> interface and the
> packet that you initialy captured has a ethernet header.
>
>
> > So , what should i do to save it in the file ?
> >
> > Regards
> > Abid
> >
> >
> > 2013/8/20 Andrew Fox <andrewfox312 () gmail com>
> > > Try adding:
> > >
> > > config decode_data_link
> > >
> > > to snort.conf
> > >
> > > Source: http://manual.snort.org/node58.html
> > >
> > >
> > > On Mon, Aug 19, 2013 at 8:40 AM, Abid Ayoub <abid.ayoub () gmail com>
> wrote:
> > > > yes , no problem.
> > > > so how can i save this extra information in snort database ? should i
> > > > change the configuration ?
> > > >
> > > > Regards
> > > >
> > > >
> > > > 2013/8/19 Joel Esler <jesler () sourcefire com>
> > > > > You probably won’t get the mac address of the host.  You will only get
> > > > > the mac address of the device that last handled the packet before
> Snort saw
> > > > > it.
> > > > >
> > > > >
> > > > > On Aug 19, 2013, at 9:08 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:
> > > > >
> > > > > Thanks.
> > > > >
> > > > > So what i need is to save in snort database, when an attack is
> > > > > deteckted, the mac-addresses of host.
> > > > > So how can i do that ?
> > > > >
> > > > > Regards,
> > > > > Abid
> > > > >
> > > > >
> > > > > 2013/8/19 Joel Esler <jesler () sourcefire com>
> > > > > > Snort can dump the last mac address that it sees when it sniffs the
> > > > > > packet, use the “-e” command line tag.
> > > > > >
> > > > > > --
> > > > > > Joel Esler
> > > > > > Senior Research Engineer, VRT
> > > > > > OpenSource Community Manager
> > > > > > Sourcefire
> > > > > >
> > > > > > On Aug 19, 2013, at 6:30 AM, Abid Ayoub <abid.ayoub () gmail com>
> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > can snort show the mac-address of hosts , with oder instead of the
> > > > > > ip-address?
> > > > > >
> > > > > > Regards,
> > > > > > Abid
> ------------------------------------------------------------------------------
> > > > > > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > > > > > It's a free troubleshooting tool designed for production.
> > > > > > Get down to code-level detail for bottlenecks, with <2% overhead.
> > > > > > Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > > > Snort news!
> ------------------------------------------------------------------------------
> > > > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > > > It's a free troubleshooting tool designed for production.
> > > > Get down to code-level detail for bottlenecks, with <2% overhead.
> > > > Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> ------------------------------------------------------------------------------
> > Introducing Performance Central, a new site from SourceForge and
> > AppDynamics. Performance Central is your source for news, insights,
> > analysis and resources for efficient Application Performance Management.
> > Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!