Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mac-Address

From: Abid Ayoub <abid.ayoub () gmail com>
Date: Thu, 22 Aug 2013 11:08:46 +0200
Hi,

So, i am listening to the traffic from a mirror port in a cisco switch
(ethernet port)
I have added to the snort.conf "config decode_data_link" in order to see
the Mac Address printed on the screen when snort will sniff the traffic.

I have used u2boat tool then read the file with tcpdump, but what i get
from the snort.u2.xxxx file  is :

08/22-10:42:43.593477 x.x.x.x -> x.x.x.x
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:4531   Seq:1  ECHO

So , what is  wrong?  solution ?

Regards,
Abid


2013/8/21 beenph <beenph () gmail com>


Use u2boat  (tools bundled with snort in tools/u2boat on your unified2
file it will extract raw packets from your unified2 file.

Then use tcpdump to read that pcap file and you will find what you are
looking for, If you have capture your packet via a ethernet interface
and that the capture packet is not striped of its ethernet header.

u2spewfoo will only display IP header information by default.
barnyard2 currently used database schema and other output plugins
(text,alert,syslog) will not display/use ethernet source and dest mac.



On Wed, Aug 21, 2013 at 11:18 AM, Abid Ayoub <abid.ayoub () gmail com> wrote:

Hi,

i am listning on a ethernet interface. and this is what i get in the
snort.u2.xx when a new attack happened:

(Event)
 sensor id: 0 event id: 1 event second: 1377070239 event microsecond:

132395

 sig id: 10010001 gen id: 1 revision: 1  classification: 0
 priority: 0 ip source: x.x.x.x ip destination: x.x.x.x
 src port: 8 dest port: 0 protocol: 1 impact_flag: 0 blocked: 0

Packet
 sensor id: 0 event id: 1 event second: 1377070239
 packet second: 1377070239  packet microsecond: 132395
 linktype: 1 packet_length: 98
[    0] 3C D9 2B 64 14 4C 00 0C 29 CD 76 9F 08 00 45 00  <.+d.L..).v...E.
[   16] 00 54 00 00 40 00 40 01 B0 DD C0 A8 04 78 C0 A8  .T..@

.@......x..

[   32] 04 03 08 00 7B 14 78 25 00 01 9F 6C 14 52 64 03  ....{.x%...l.Rd.
[   48] 02 00 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15  ................
[   64] 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25  .......... !"#$%
[   80] 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35  &'()*+,-./012345
[   96] 36 37                                            67

So, am i doing something wrong ? how can i get also the  Mac-Addresses ?

Regards,
Abid



2013/8/21 beenph <beenph () gmail com>


On Wed, Aug 21, 2013 at 4:07 AM, Abid Ayoub <abid.ayoub () gmail com>

wrote:

HI,

Thanks Andrew.

config decode_data_link will replace -e in snort command.
The Mac-address will be printed on the screen but it will not be saved
in
the snort.u2.xxx file.



The mac address is saved in the file if your listening on a ethernet
interface and the
packet that you initialy captured has a ethernet header.



So , what should i do to save it in the file ?

Regards
Abid


2013/8/20 Andrew Fox <andrewfox312 () gmail com>


Try adding:

config decode_data_link

to snort.conf

Source: http://manual.snort.org/node58.html


On Mon, Aug 19, 2013 at 8:40 AM, Abid Ayoub <abid.ayoub () gmail com>
wrote:


yes , no problem.
so how can i save this extra information in snort database ? should

i

change the configuration ?

Regards


2013/8/19 Joel Esler <jesler () sourcefire com>


You probably won’t get the mac address of the host.  You will only
get
the mac address of the device that last handled the packet before
Snort saw
it.


On Aug 19, 2013, at 9:08 AM, Abid Ayoub <abid.ayoub () gmail com>

wrote:


Thanks.

So what i need is to save in snort database, when an attack is
deteckted, the mac-addresses of host.
So how can i do that ?

Regards,
Abid


2013/8/19 Joel Esler <jesler () sourcefire com>


Snort can dump the last mac address that it sees when it sniffs

the

packet, use the “-e” command line tag.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Aug 19, 2013, at 6:30 AM, Abid Ayoub <abid.ayoub () gmail com>
wrote:

Hi,

can snort show the mac-address of hosts , with oder instead of the
ip-address?

Regards,
Abid




------------------------------------------------------------------------------

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.




http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:


http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users


Please visit http://blog.snort.org to stay current on all the

latest

Snort news!












------------------------------------------------------------------------------

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.




http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the

latest

Snort news!









------------------------------------------------------------------------------

Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance

Management.

Visit us today!



http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort
news!






------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: