Re: Mac Address in alert

[Paul Li <paul () scybersecurity com>]

Hi Al,

Somehow I missed one of your messages about, "what you do with mac ? ...",
until I saw it on daily digest. Mine is a concern case actually I want to
identify my own side's devices by Mac Address: I use one Snort server
monitor multiple sub-nets whose devices could have the same internal IPs.

Follow up this question, I'm currently using Barnyard2 to spool alerts to
DB, but looks like Barnyard2 doesn't have Mac Address in its log at all, or
at least I don't see its DB schema have Mac Address. So wondering if
Barnyard can load alerts with Mac Address to DB, and if Barnyard2 doesn't,
what's the best way to do it?

Thanks,
Paul


On Wed, Jun 7, 2017 at 9:28 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

> It depends on your logging output format/flags.
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi () cisco com
>
> From: Paul Li <paul () scybersecurity com>
> Date: Wednesday, June 7, 2017 at 7:47 PM
> To: allewi <allewi () cisco com>
> Cc: 'snort-users' <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Mac Address in alert
>
> Thanks Al. Appreciate it. Looks like one of the parameters Acmg does the
> trick. Is my understanding correct?
>
> Paul
>
> On Jun 7, 2017 19:38, "Al Lewis (allewi)" <allewi () cisco com> wrote:
>
> Its there:
>
> Taken from below:
>
> 06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800
> len:0x632
>
>
>
> alewis@box3:/var/tmp/snort-2.9.9.0-released$ ./bin/snort  -c
> etc/NATARAJAN.conf -r /tmp/TEST.pcap  -Acmg -k none -q
> 06/07-19:30:42.272000  [**] [1:1000002:1] Snort alerting on XYZ content
> [**] [Priority: 0] {TCP} 1.1.1.1:34504 -> 2.2.2.2:25
> 06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800
> len:0x632
> 1.1.1.1:34504 -> 2.2.2.2:25 TCP TTL:64 TOS:0x0 ID:58912 IpLen:20
> DgmLen:1572 DF
> ***AP*** Seq: 0xB7C96236  Ack: 0xF0F5EF6D  Win: 0x156  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 20087867 20087851
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>
>
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi () cisco com
>
>
>
>
>
>
>
> On 6/7/17, 6:29 PM, "Paul Li" <paul () scybersecurity com> wrote:
>
> > Seems someone already asked this question, but Google doesn't give me a
> > confirmed answer. So bring this question to the attention to this group:
> >
> > Is there a way I can get the MacAddress of the src and dst in a Snort
> alert?
> > Thanks,
> > Paul
> > -----------------------------------------------------------
> -------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!