[Snort-devel] Issue with filtering on MAC address

Martin Olsson elof at ...969...
Mon Jan 19 00:38:05 EST 2004


On Fri, 16 Jan 2004, Kumar, Manoj wrote:
> I need your help regarding one issue which I am facing right now.i want to filter on some three bytes which are present in MAC address of the packets. I have written the rules as foloow:
> log ip any any <> any any (content: "|7e e1 03|";offset:0;distance:6;rawbytes;nocase;)
> output log_tcpdump:testrules
>
> But,somehow,it's not applying the filter as when I look at the tcp dump file testrules,it shows me traffic with other MAC address also. Please help me out what I am doing wrong with it.

Doesn't snort start its pattern matching from the start of the protocol
payload, not the start of the packet?
In your case you have specified "ip" as the protocol, then I guess that
offset:0; distance:6; is looking for your content in the middle of the
next protocol header (tcp, udp, icmp...).

I have asked for a keyword that makes it possible to match on MAC
addresses, but haven't got any replies.

/Martin





More information about the Snort-devel mailing list