[Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Frank Knobbe fknobbe at ...337...
Mon Jun 16 22:15:08 EDT 2003

On Mon, 2003-06-16 at 23:23, Atul Shrivastava wrote:
> The feature is such that we can make rule based on the MAC address. I
> mean to say that I will make a pool of valid MAC addresses and then if
> any of the MAC addresses doesn't match with this MAC address pool then
> a alert has been generated for that. For that it is required to add
> one more preprocessor and then in that preprocessor we have to
> manually add the MAC addresses. Is it possible, because this feature
> is not there in any of the leading IDS.

To discover new MAC addresses, use arpwatch. It is not the role of an
IDS to detect new MACs.

> This feature solves the problem that if anyone comes to your internal
> LAN physically with this laptop and then plugs his laptop into the
> internal LAN and takes a valid IP from some employess on personal
> basis and try to copy some important and confidential data from the
> network or try to do something illegal in the network, if this feature
> is there then he bill be caught by that thing.

Keep in mind that the rogue laptop would have to be plugged into the
same broadcast domain as the IDS, otherwise you won't detect the new MAC
address. You can however detect new IP addresses and you can detect
illegal activity.

It you are concerned about ARP spoofing, I believe Jeff's arpspoof
preprocessor takes care of that.

Don't try to put too many functions in one piece of software. Instead,
create an arsenal of tools dedicated to certain tasks. Snort does not
detect when your hard drives run out of disk space either. Sometimes I
get the feeling that people want to put too much functionality into one
device, and try to shape it like a silver bullet. It won't work.
(Firewalls and access control and IDS and virus scanning and content
management and PKI and identity management and network forensics.....
all in one box? ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030616/b514b1f2/attachment.sig>

More information about the Snort-devel mailing list