RE: [Snort-users] detect on specific MAC address

This is a multi-part message in MIME format.

------_=_NextPart_001_01C4B77D.BD848ED1
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Internally, snort doesn't have visibility to the MAC address
information; snort only looks at IP and higher in the stack. You can,
however, run short with a BPF on the command line to get more
flexibility. So, if you want to limit snort to only the one dst MAC,
you'd do something like:
=20
snort <normal snort arguments> ether dst host <dst mac address>
=20
Jon

_____ =20

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Jericho
Lee
Sent: Thursday, October 21, 2004 8:31 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] detect on specific MAC address



HI List,=20

=20

We all know that snort can be in NIDS mode to detect all the
packets in the network, but can snort just detect some specific
destination address??

I have a computer with 2 NIC, and I want snort to detect some
packets send to the second NIC only,=20

So other packets without the MAC address in the header the same with the
2nd NIC MAC address will not be captured by snort,=20

Can snort do this?=20

=20

Thanks for your Help in advance.

=20

Jericho Lee


------_=_NextPart_001_01C4B77D.BD848ED1
Content-Type: text/html;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns=3D"http://www.w3.org/TR/REC-html40" xmlns:o =3D=20
"urn:schemas-microsoft-com:office:office" xmlns:w =3D=20
"urn:schemas-microsoft-com:office:word" xmlns:st1 =3D=20
"urn:schemas-microsoft-com:office:smarttags"><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1476" name=3DGENERATOR><o:SmartTagType =
name=3D"City"=20
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"></o:SmartTagT=
ype><o:SmartTagType=20
name=3D"place"=20
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"></o:SmartTagT=
ype><!--[if !mso]>
<STYLE>st1\:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<![endif]-->
<STYLE>@font-face {
font-family: PMingLiU;
}
@font-face {
font-family: PMingLiU;
}
@page Section1 {size: 595.3pt 841.9pt; margin: 72.0pt 90.0pt 72.0pt =
90.0pt; layout-grid: 18.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=3DZH-TW style=3D"TEXT-JUSTIFY-TRIM: punctuation" =
vLink=3Dpurple link=3Dblue>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D309225114-21102004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Internally, snort doesn't have visibility to =
the MAC=20
address information; snort only looks at IP and higher in the =
stack.&nbsp; You=20
can, however, run short with a BPF on the command line to get more=20
flexibility.&nbsp; So, if you want to limit snort to only the one dst =
MAC, you'd=20
do something like:</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D309225114-21102004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D309225114-21102004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>snort &lt;normal snort arguments&gt; ether dst =
host &lt;dst=20
mac address&gt;</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D309225114-21102004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D309225114-21102004><FONT =
face=3DArial=20
color=3D#0000ff size=3D2>Jon</FONT></SPAN></DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> =
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of =
</B>Jericho=20
Lee<BR><B>Sent:</B> Thursday, October 21, 2004 8:31 AM<BR><B>To:</B>=20
snort-users@lists.sourceforge.net<BR><B>Subject:</B> [Snort-users] =
detect on=20
specific MAC address<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=3DSection1 style=3D"LAYOUT-GRID: 18pt none">
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: Arial">HI List,=20
<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;&nbsp;=20
We all know that snort can be in NIDS mode to detect all the packets in =
the=20
network, but can snort just detect some specific destination=20
address??<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;&nbsp;=20
I have a computer with 2 NIC, and I want snort to detect some packets =
send to=20
the second NIC only, <o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><FONT face=3DArial =
size=3D1><SPAN=20
lang=3DEN-US style=3D"FONT-SIZE: 9pt; FONT-FAMILY: Arial">So other =
packets without=20
the MAC address in the header the same with the 2nd NIC MAC address will =
not be=20
captured by snort, <o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><FONT face=3DArial =
size=3D1><SPAN=20
lang=3DEN-US style=3D"FONT-SIZE: 9pt; FONT-FAMILY: Arial">Can snort do =
this?=20
<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><FONT face=3DArial =
size=3D1><SPAN=20
lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><FONT face=3DArial =
size=3D1><SPAN=20
lang=3DEN-US style=3D"FONT-SIZE: 9pt; FONT-FAMILY: Arial">Thanks for =
your Help in=20
advance.<o:p></o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><FONT face=3DArial =
size=3D1><SPAN=20
lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=3DMsoNormal style=3D"TEXT-INDENT: 24pt"><st1:City =
w:st=3D"on"><st1:place=20
w:st=3D"on"><FONT face=3DArial size=3D1><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; FONT-FAMILY: =
Arial">Jericho</SPAN></FONT></st1:place></st1:City><FONT=20
face=3DArial size=3D1><SPAN lang=3DEN-US style=3D"FONT-SIZE: 9pt; =
FONT-FAMILY: Arial">=20
Lee<o:p></o:p></SPAN></FONT></P></DIV></BODY></HTML>

------_=_NextPart_001_01C4B77D.BD848ED1--



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourna...uidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users