Snort mailing list archives
RE: Mac Adresses in Acid Screens
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 10 Oct 2003 15:05:21 -0500
-----Original Message----- From: Demetri Mouratis [mailto:dmourati () cm math uiuc edu] Sent: Friday, October 10, 2003 11:19 AM To: Schmehl, Paul L Cc: Juan M. Rivera; Snort Users List Subject: RE: [Snort-users] Mac Adresses in Acid ScreensYou'd have to modify the snort source code to get the MAC from the packet headers.Really? What about snort -e?
Sorry this took so long to answer. I wanted to make sure that I had my facts straight. snort -e *logs* link layer packet headers. We needed to feed the MAC addresses to the *database*, and the code for that didn't exist, so we had to write a patch. Obviously we also had to modify the database schema to add a field for the MAC. It's really a one-off kind of thing, as I said earlier. On a switched network it would do no good at all, because the only MAC you see is the router's and/or the ones on the vlan that you're on. AAMOF arpwatch won't help you either, for the same reasons. You could use arpspoof, but why go to that much trouble? You can correlate the mac to the IP in the dhcpd logs if you use dhcp, and if you're static, you should already *know* which machine has which IP address. Or at least you can find it on the switches. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mac Adresses in Acid Screens Juan M. Rivera (Oct 09)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Milo Velimirovic (Oct 10)
- Re: Mac Adresses in Acid Screens Jeff Nathan (Oct 10)
- <Possible follow-ups>
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- Re: Mac Adresses in Acid Screens Stephen W. Thompson (Oct 10)
- RE: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)
- RE: Mac Adresses in Acid Screens Schmehl, Paul L (Oct 10)
- Re: Mac Adresses in Acid Screens Demetri Mouratis (Oct 10)