Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snorting the MAC address

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 11 Apr 2002 15:22:03 -0700 (PDT)
On Thu, 11 Apr 2002, Nate Haggard wrote:


Snort grabs IPs, and that is great until someone tries to spoof their
IP.  Is there anyway to get snort to log both the IP and MAC address.


Yep.


Does anyone know what part of the code to look at for this feature?


You can find it in the ShowUsage call.  :)


Maybe there is a good reason snort doesn't log the MAC and I'm just
clueless.


Naaaa...  We're just geting a lot of commandline options for snort these days.

[erek@foofusbunny]/snort#./snort -\?

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
USAGE: ./snort [-options] <filter options>
Options:

[...snip...]
        -a         Display ARP packets
[...snip...]

You might also want to take a look at the arpspoof pre-procesor.

[erek@foofusbunny]/snort#more snort.conf
[...snip...]

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use
# of this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection.

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

[...snip...]

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: