[Snort-devel] Issue with filtering on MAC address

Kumar, Manoj kumarm at ...2330...
Mon Jan 19 11:56:03 EST 2004

Thanks for your reply!
I found the solution.You can use regular expression if you want to filter on specific protocol .My requirement was to filter on first three bytes of packets,so I used the follwing expression to capture the data

snort -l /rtm/pa/data/log -L Capture.dat -i eth1 'ether[0:4]=0x7ee10300' -b -D 

and it solved my problem.


-----Original Message-----
From: Martin Olsson [mailto:elof at ...969...]
Sent: Monday, January 19, 2004 3:38 AM
To: Kumar, Manoj
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Issue with filtering on MAC address

On Fri, 16 Jan 2004, Kumar, Manoj wrote:
> I need your help regarding one issue which I am facing right now.i want to filter on some three bytes which are present in MAC address of the packets. I have written the rules as foloow:
> log ip any any <> any any (content: "|7e e1 03|";offset:0;distance:6;rawbytes;nocase;)
> output log_tcpdump:testrules
> But,somehow,it's not applying the filter as when I look at the tcp dump file testrules,it shows me traffic with other MAC address also. Please help me out what I am doing wrong with it.

Doesn't snort start its pattern matching from the start of the protocol
payload, not the start of the packet?
In your case you have specified "ip" as the protocol, then I guess that
offset:0; distance:6; is looking for your content in the middle of the
next protocol header (tcp, udp, icmp...).

I have asked for a keyword that makes it possible to match on MAC
addresses, but haven't got any replies.


More information about the Snort-devel mailing list