[Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Frank Knobbe fknobbe at ...337...
Tue Jun 17 07:40:10 EDT 2003

On Tue, 2003-06-17 at 04:06, Keith R Kilby wrote:
> Sorry, but I would have disagree, in my experience anybody attaching to 
> the network and stealing a
> valid IP from your network would only be detectable by checking the MAC 
> address. So it must be
> function of the Intrusion Detection System to report such occurrences.

You are allowed to disagree :)  Yes, it is a somewhat useful function
("somewhat" because someone could fake an existing MAC address. This is
often done on wireless networks to evade MAC filtering). Something
should be watching arps, but it is my opinion that it doesn't need to be
Snort. As mentioned earlier, software for that (arpwatch) already

> Not strictly true? I believe that any MAC address would be detectable if 
> it is on the same segement
> of the LAN as the IDS sensor, broadcasts and domain have litte to do at 
> that levels of the protocol stack.

With "broadcast domain" I was referring to the network segment. Due to
high proliferation of switches, it has become uncommon to have
"collision domains". Those terms should be as familiar as the 5-4-3 rule
for Ethernet. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030617/717eb94f/attachment.sig>

More information about the Snort-devel mailing list