[Snort-users] Alert Based on MAC Address

Wirth, Jeff WirthJe at ...4876...
Thu Mar 21 14:48:02 EST 2002

> Am I misunderstanding the content keyword or is there another way to
accomplish this?

hmmm...I don't think snort in IDS mode can help you here.  The MAC lives in
the link-level header and the content keyword looks in the packet payload.
You may want to consider crafting something up with snort in sniffer mode
(or tcpdump) using the filter option.

i.e. # snort -v ether host <Enter your MAC here> 

This would trigger output anytime snort came across a packet with the MAC in

Hope this helps..

- Jeff

More information about the Snort-users mailing list