Snort mailing list archives

RE: detect on specific MAC address

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Thu, 21 Oct 2004 09:53:35 -0500

Internally, snort doesn't have visibility to the MAC address
information; snort only looks at IP and higher in the stack.  You can,
however, run short with a BPF on the command line to get more
flexibility.  So, if you want to limit snort to only the one dst MAC,
you'd do something like:
 
snort <normal snort arguments> ether dst host <dst mac address>
 
Jon

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jericho
Lee
Sent: Thursday, October 21, 2004 8:31 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] detect on specific MAC address



HI List, 

 

           We all know that snort can be in NIDS mode to detect all the
packets in the network, but can snort just detect some specific
destination address??

           I have a computer with 2 NIC, and I want snort to detect some
packets send to the second NIC only, 

So other packets without the MAC address in the header the same with the
2nd NIC MAC address will not be captured by snort, 

Can snort do this? 

 

Thanks for your Help in advance.

 

Jericho Lee

Current thread:

detect on specific MAC address Jericho Lee (Oct 21)
- Re: detect on specific MAC address Matt Kettler (Oct 21)
- <Possible follow-ups>
- RE: detect on specific MAC address Williams Jon (Oct 21)