Snort mailing list archives
Re: Mac Adresses in Acid Screens
From: "Stephen W. Thompson" <thompson+snort () pobox upenn edu>
Date: Fri, 10 Oct 2003 13:14:38 -0400 (EDT)
In a multi-person thread, Demetri Mouratis wrote in response to an earlier posting:
You'd have to modify the snort source code to get the MAC from the packet headers.
[snip]
Then you'd have to modify the ACID source code to display them. And it wouldn't do you much good unless you were in a broadcast network rather than switched. In a switched network all you would get would be the last router's MAC.Right. I was thinking along the lines of maintaining an arp table for all local hosts and then reporting the MAC<->IP pairing in the ACID alert page. Something like:
I went through the archives some time ago to understand this same issue. One posting in that thread (sorry, I've no references to it) said, in effect, that snort was not the right tool for MAC-level logging. They recommended arpwatch instead. Since I had already been using arpwatch and appreciated what it does, I stopped looking into a snort-integrated method. Also, I came to agree with other postings in the last day or so that, when I finally install onto the main pipe rather than just experimenting at a normal wallplate on a switched network, I'll be prevented from seeing meaningful MACs for all but one subnet. En paz, Steve, security analyst -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson+snort () pobox upenn edu http://pobox.upenn.edu/~thompson/index.html The only safe choice: Write e-mail as if it's public. Cuz it could be. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mac Adresses in Acid Screens Juan M. Rivera (Oct 09)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Milo Velimirovic (Oct 10)
- Re: Mac Adresses in Acid Screens Jeff Nathan (Oct 10)
- <Possible follow-ups>
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Stephen W. Thompson (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)