IDS mailing list archives
Re: SNORT: MAC Address Alert
From: Mark Coleman <markc () uniontown com>
Date: Thu, 18 Sep 2003 14:24:36 -0400
Hi James, I am doing something VERY similar to exactly what you described.I use TCPDUMP to cap packets with a rule of what I want to watch for, piped to a file. I then have a cron job check for anything in that file, and email the contents to my pager if there's captured data. The script then clears the file for next one. You might want to match on a colon to cap non-IP traffic too, as the MAC address (I think) in tcpdump uses colons in it.
So, you could do tcpdump at layer 2 (I blieve there's some layer 2 rules in there), or at least tcpdump EVERYTHING and pipe it through a "grep xx:xx:xx:xx:" for the MAC address and pipe that whole thing to a file that a cron job parses and emails if it exists. I think you have to use a -e switch to get the layer 2 info in the dumps if I remember right. I use -lne as my swtiches.
Mine works like a champ. -Mark Coleman James Williams wrote:
We have been having an issue over the past couple of days where a couple of computers are gaining access to our network and picking arbitrary IP addresses to send SPAM emails. We have the MAC addresses of the suspected computers and know which locations they are coming from, but they do not spend much time in any one location. What I would like to do is setup a box with snort and configure a very specific rule set to have snort text message my mobile phone when it sees these two MAC addresses on our network and possibly from which switch/wap/vlan/etc. Is this possible? If so can somebody give me a couple configuration examples? Thank you, James Williams --------------------------------------------------------------------------- Captus Networks IPS 4000Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans- Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance PoliciesFREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101---------------------------------------------------------------------------
--------------------------------------------------------------------------- Captus Networks IPS 4000Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance PoliciesFREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Current thread:
- SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- Re: SNORT: MAC Address Alert noconflic (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)