[Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Keith R Kilby krkilby at ...1875...
Tue Jun 17 02:15:15 EDT 2003

Frank Knobbe wrote:

>On Mon, 2003-06-16 at 23:23, Atul Shrivastava wrote:
>>The feature is such that we can make rule based on the MAC address. I
>>mean to say that I will make a pool of valid MAC addresses and then if
>>any of the MAC addresses doesn't match with this MAC address pool then
>>a alert has been generated for that. For that it is required to add
>>one more preprocessor and then in that preprocessor we have to
>>manually add the MAC addresses. Is it possible, because this feature
>>is not there in any of the leading IDS.
>To discover new MAC addresses, use arpwatch. It is not the role of an
>IDS to detect new MACs.
Sorry, but I would have disagree, in my experience anybody attaching to 
the network and stealing a
valid IP from your network would only be detectable by checking the MAC 
address. So it must be
function of the Intrusion Detection System to report such occurrences.

There are some (expensive) routers and switched hubs that detect MAC 
address changes and flag
them to the network manager, but I agree for a small network (small 
office single segment LAN)
this would be a sensible additon to the SNORT arsenal.

>>This feature solves the problem that if anyone comes to your internal
>>LAN physically with this laptop and then plugs his laptop into the
>>internal LAN and takes a valid IP from some employess on personal
>>basis and try to copy some important and confidential data from the
>>network or try to do something illegal in the network, if this feature
>>is there then he bill be caught by that thing.
>Keep in mind that the rogue laptop would have to be plugged into the
>same broadcast domain as the IDS, otherwise you won't detect the new MAC
>address. You can however detect new IP addresses and you can detect
>illegal activity.
Not strictly true? I believe that any MAC address would be detectable if 
it is on the same segement
of the LAN as the IDS sensor, broadcasts and domain have litte to do at 
that levels of the protocol stack.

>It you are concerned about ARP spoofing, I believe Jeff's arpspoof
>preprocessor takes care of that.
>Don't try to put too many functions in one piece of software. Instead,
>create an arsenal of tools dedicated to certain tasks. Snort does not
>detect when your hard drives run out of disk space either. Sometimes I
>get the feeling that people want to put too much functionality into one
>device, and try to shape it like a silver bullet. It won't work.
>(Firewalls and access control and IDS and virus scanning and content
>management and PKI and identity management and network forensics.....
>all in one box? ;)
As with all the functions of SNORT you turn them on or off as you 
require them for your intrusion
detection requirements.  So adding another configurable preprocessor is 
only adding another tool
that some people may want to use.


More information about the Snort-devel mailing list