[Snort-devel] Issue with filtering on MAC address

Kumar, Manoj kumarm at ...2330...
Fri Jan 16 12:02:03 EST 2004

Hi guys,
I need your help regarding one issue which I am facing right now.i want to filter on some three bytes which are present in MAC address of the packets. I have written the rules as foloow:
log ip any any <> any any (content: "|7e e1 03|";offset:0;distance:6;rawbytes;nocase;)
output log_tcpdump:testrules

But,somehow,it's not applying the filter as when I look at the tcp dump file testrules,it shows me traffic with other MAC address also. Please help me out what I am doing wrong with it.

Thanks in advance

More information about the Snort-devel mailing list