[Snort-users] Alert Based on MAC Address
Bamberger, Marc (M.A.)
mbamberg at ...5362...
Thu Mar 21 12:42:29 EST 2002
I'm interested in tracking a PC that keeps changing it's IP address by it's
MAC (Ethernet) address. I would like to write a rule that would alert
whenever a certain MAC address appears in a packet.
It looks like the content keyword only scans the data of the packet and
doesn't match against headers. Am I misunderstanding the content keyword or
is there another way to accomplish this?
Any help would be appreciated.
More information about the Snort-users