IDS mailing list archives

Re: SNORT: MAC Address Alert

From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Thu, 18 Sep 2003 15:06:41 -0400 (EDT)

You could do that with snort, or you could more simply use tcpdump.  If
you have a machine with a wireless card and a network card, simply use
tcpdump and have it log all packets from those MACs and send the output to
a script that mails your phone.

Assuming wlan0 is the wireless interface,

tcpdump -i wlan0 -c 2-l '(ether host BA:DC:AB:BE:DE:AD) or (ether host BA:DC:AB:BE:22:22)' | mail -s They are back 
myphone () mycarrier com

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Wed, 17 Sep 2003, James Williams wrote:

We have been having an issue over the past couple of days where a couple
of computers are gaining access to our network and picking arbitrary IP
addresses to send SPAM emails. We have the MAC addresses of the
suspected computers and know which locations they are coming from, but
they do not spend much time in any one location. What I would like to do
is setup a box with snort and configure a very specific rule set to have
snort text message my mobile phone when it sees these two MAC addresses
on our network and possibly from which switch/wap/vlan/etc. Is this
possible? If so can somebody give me a couple configuration examples?

Thank you,

James Williams


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------

Current thread:

SNORT: MAC Address Alert James Williams (Sep 18)
- Re: SNORT: MAC Address Alert Jordan Wiens (Sep 19)
  - Re: SNORT: MAC Address Alert Jordan Wiens (Sep 22)
- Re: SNORT: MAC Address Alert Mark Coleman (Sep 19)
- Re: SNORT: MAC Address Alert noconflic (Sep 19)
- Re: SNORT: MAC Address Alert Florin Andrei (Sep 19)
- Re: SNORT: MAC Address Alert Brad McGary (Sep 19)
  - Re: SNORT: MAC Address Alert noconflic (Sep 22)
    - Re: SNORT: MAC Address Alert Maxime Ducharme (Sep 22)
- <Possible follow-ups>
- RE: SNORT: MAC Address Alert Jorge Coll (Sep 22)