Snort mailing list archives
RE: Mac Adresses in Acid Screens
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Fri, 10 Oct 2003 11:19:01 -0500 (CDT)
On Fri, 10 Oct 2003, Schmehl, Paul L wrote:
On Thu, 9 Oct 2003, Juan M. Rivera wrote:Does anyone know how you can see the Mac Address with theIP addressin the Acid screen (acid_stat_ipaddr.php)?For some reason I missed Juan's original post, so I'm using Demetri's followup to respond to the original question. Demetri, hope you don't mind.
No problem.
You'd have to modify the snort source code to get the MAC from the packet headers.
Really? What about snort -e?
Then you'd have to modify the ACID source code to display them. And it wouldn't do you much good unless you were in a broadcast network rather than switched. In a switched network all you would get would be the last router's MAC.
Right. I was thinking along the lines of maintaining an arp table for all local hosts and then reporting the MAC<->IP pairing in the ACID alert page. Something like: Meta: ID # Time Triggered Signature Data Link: src/dst MAC Address (hopefully one or the other, not both ;-) ) IP: IPsource addr dest addr Ver Hdr Len TOS length ID flags offset TCP: source port dest port
We (not me - our wireless guy) have actually modified snort here to extract MACs from a snort box that is watching the wireless cloud. We then have a custom php page that displays the MAC along with the IP and other info. (No, we won't make it available. It wouldn't be worth much anyway.) But the wireless cloud will soon be authenticated VLANs and then it won't do us any good there either. We just did it to make it easier to deal with the rpc worm infections in our student residences.
Sounds cool. I got into this during a worm outbreak myself. My SMTP servers were causing spurious sobig alerts and I needed to verify the source MAC. Interesting disussion so far. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mac Adresses in Acid Screens Juan M. Rivera (Oct 09)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Milo Velimirovic (Oct 10)
- Re: Mac Adresses in Acid Screens Jeff Nathan (Oct 10)
- <Possible follow-ups>
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Stephen W. Thompson (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)