[Snort-users] Watching MAC addresses instead of IP's

roman at ...438... roman at ...438...
Sat May 19 10:43:47 EDT 2001

There is only limited support for MAC addresses.  While MACs
can be output in text file logging via the (-e) option, one cannot
specifically include them in any rules.  However, if your 
interested in snort only watching traffic from/to a specific
MAC, use the normal rule set, but limit what Snort "sees" using
command line BPF parameters (e.g. ether)


> Hi all,
> I think this came up before, but giving a quick scan through the lists I
> didn't see anything.
> Is it possible to get snort to only watch traffic going to and coming
> from specific MAC address(es)?
> TIA, and best regards,
> -Emil
> -- 
> http://www.ecad.org/~jev/jev.gpg
> Key fingerprint = 748B 2346 1683 6384 5E8D  4EE3 0807 EADB 999E AB95
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message was sent using Voicenet WebMail.

More information about the Snort-users mailing list