[Snort-users] Alert Based on MAC Address

Bamberger, Marc (M.A.) mbamberg at ...5362...
Thu Mar 21 12:42:29 EST 2002


I'm interested in tracking a PC that keeps changing it's IP address by it's
MAC (Ethernet) address. I would like to write a rule that would alert
whenever a certain MAC address appears in a packet.

It looks like the content keyword only scans the data of the packet and
doesn't match against headers. Am I misunderstanding the content keyword or
is there another way to accomplish this?

Any help would be appreciated.

Thanks,
Marc Bamberger




More information about the Snort-users mailing list