[Snort-users] Alert Based on MAC Address
WirthJe at ...4876...
Thu Mar 21 14:48:02 EST 2002
> Am I misunderstanding the content keyword or is there another way to
hmmm...I don't think snort in IDS mode can help you here. The MAC lives in
the link-level header and the content keyword looks in the packet payload.
You may want to consider crafting something up with snort in sniffer mode
(or tcpdump) using the filter option.
i.e. # snort -v ether host <Enter your MAC here>
This would trigger output anytime snort came across a packet with the MAC in
Hope this helps..
More information about the Snort-users