[Snort-users] Alert Based on MAC Address

Matt Kettler mkettler at ...4108...
Thu Mar 21 15:38:07 EST 2002

As Jeff W already said, the content option of a rule looks at the 
application layer content, not the headers.

you might consider using tcpdump for this purpose:

tcpdump ether src <mac address>

or run arpwatch.

Snort is major overkill for only trying to catch packets with a single, 
static feature of the header. Snort is designed for applying a few hundred 
different test cases (including application layer content searches) to each 
packet and logging matches. Tcpdump is designed for dumping packets which 
match a relatively simple header content pattern. Choose your tool that 
best fits the scope of your task.

At 03:34 PM 3/21/2002 -0500, Bamberger, Marc (M.A.) wrote:
>I'm interested in tracking a PC that keeps changing it's IP address by it's
>MAC (Ethernet) address. I would like to write a rule that would alert
>whenever a certain MAC address appears in a packet.
>It looks like the content keyword only scans the data of the packet and
>doesn't match against headers. Am I misunderstanding the content keyword or
>is there another way to accomplish this?

More information about the Snort-users mailing list