Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Mac Adresses in Acid Screens

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Fri, 10 Oct 2003 11:19:01 -0500 (CDT)
On Fri, 10 Oct 2003, Schmehl, Paul L wrote:


On Thu, 9 Oct 2003, Juan M. Rivera wrote:


Does anyone know how you can see the Mac Address with the

IP address

in the Acid screen (acid_stat_ipaddr.php)?


For some reason I missed Juan's original post, so I'm using Demetri's
followup to respond to the original question.  Demetri, hope you don't
mind.


No problem.


You'd have to modify the snort source code to get the MAC from the
packet headers.


Really?  What about snort -e?


Then you'd have to modify the ACID source code to
display them.  And it wouldn't do you much good unless you were in a
broadcast network rather than switched.  In a switched network all you
would get would be the last router's MAC.


Right.  I was thinking along the lines of maintaining an arp table for all
local hosts and then reporting the MAC<->IP pairing in the ACID alert
page.  Something like:

Meta:   ID #  Time  Triggered Signature
Data Link:      src/dst MAC Address (hopefully one or the other, not both ;-) )
IP:     IPsource addr   dest addr   Ver Hdr Len TOS length ID flags offset
TCP:    source port dest port



We (not me - our wireless guy) have actually modified snort here to
extract MACs from a snort box that is watching the wireless cloud.  We
then have a custom php page that displays the MAC along with the IP and
other info.  (No, we won't make it available.  It wouldn't be worth much
anyway.)  But the wireless cloud will soon be authenticated VLANs and
then it won't do us any good there either.  We just did it to make it
easier to deal with the rpc worm infections in our student residences.


Sounds cool.  I got into this during a worm outbreak myself.  My SMTP
servers were causing spurious sobig alerts and I needed to verify the
source MAC.

Interesting disussion so far.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: