[Snort-devel] Snort Match MAC-addr

Martin Olsson elof at ...969...
Thu Jan 8 03:26:01 EST 2004


I'm sitting here thinking... Is it not possible to add a new keyword that
matches on the frame's MAC addresses?

It would be quite useful when one want to detect traffick going a
particular *physical* way.

Take the "MS-SQL Worm propagation attempt OUTBOUND" as an example. It
triggers on traffic from HOME_NET to EXTERNAL_NET 1434.

There are some problems here though:

* Since the worm spoofes its source address, this rule won't trigger
  when an internal machine is attacking others (the spoofed address won't
  match HOME_NET).
* I configure a switch port to mirror two other ports, my internal
  and external nets. Two snort processes monitor this mirror-port. One
  of them have HOME_NET=<my internal net> while the other one have
  HOME_NET=<my external net>.
  The external net is connected to the Internet, so here I see lots of
  worm-packets when they try to infect my external hosts. Every once in a
  while, the spoofed address of these worm-packets happen to match my
  internal IP range. Now the snort with HOME_NET=<my internal net> starts
  giving false positives ==> My management system alerts me that I have
  OUTBOUND worm propagation attempts.

The solution to the above, as well as a very useful feature in general,
would be to modify the rule not to rely on the HOME_NET as the source.
Instead we use "any" since we don't know what the spoofed address will
be. Then we add a new keyword to our rule...

Something like this:

Original rule:
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"Worm"; ...

Modified rule:
alert udp any any -> $EXTERNAL_NET 1434 (msg:"Worm"; srcmac: "001122334455";

MAC-address 001122334455 would in this case be the external interface of
my Internet-router (and snort is monitoring this external segment).

Result: I now can trigger on traffic that is physically going OUT from my
network to the Internet, catching OUTBOUND evil things.

In short, I'd like two new keywords: srcmac and dstmac, who both take a
list of MAC-addresses or the word "any" as values.

Do not match this packet it's going to 001122334455 or if it is a
  dstmac: !"001122334455,ffffffffffff";

Using srcmac or dstmac with the value "any" might seem pretty unneccecary,
since it will always return True. The logical step would be to remove this
test from the rule.

The reason why I think the value "any" should exist is to make it possible
for people to create public rules who use srcmac and dstmac even though
the author of the rule don't know what the MAC address should be set to in
every different case. This public rule is just a template, so before users
start using it in their snort-installation they should modify this value
to their needs. Maybe we could add a new global variable in snort.conf:

  # Set this to the MAC address(es) of the gateway(s) towards Internet for
  # the monitored segment(s) (HOME_NET)

Is this possible and interesting? What do you think?


More information about the Snort-devel mailing list