[Snort-devel] database logging feature request

Bill Marquette wlmarque at ...10...
Fri Oct 27 17:58:47 EDT 2000


Jed, would it be possible to add ethernet (hardware) header logging to the snort
database (specifically MAC addresses, but anything else that can be commonly
logged would be nice)?  I just ran into an issue where I couldn't track someone
down that was on the same segment (of a couple hundred machines) as my IDS box
because I didn't have the information available to me and by the time I'd got
the logs the ARP cache on both router and sensor had expired.  The only thing
that I know about the offensive packets is that based on the TTL it's local AND
it's an NT box.

--Bill





More information about the Snort-devel mailing list