[Snort-users] Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Michael Boman michael.boman at ...4162...
Mon Jun 16 22:24:04 EDT 2003

On Tue, 2003-06-17 at 12:23, Atul Shrivastava wrote:
> Hello,
> There is one feature which is lacking in Snort.
> The feature is such that we can make rule based on the MAC address. I
> mean to say that I will make a pool of valid MAC addresses and then if
> any of the MAC addresses doesn't match with this MAC address pool then
> a alert has been generated for that. For that it is required to add
> one more preprocessor and then in that preprocessor we have to
> manually add the MAC addresses. Is it possible, because this feature
> is not there in any of the leading IDS.
> This feature solves the problem that if anyone comes to your internal
> LAN physically with this laptop and then plugs his laptop into the
> internal LAN and takes a valid IP from some employess on personal
> basis and try to copy some important and confidential data from the
> network or try to do something illegal in the network, if this feature
> is there then he bill be caught by that thing.
> Any sugessions are welcome.

Why not run arpwatch?

Best regards
 Michael Boman

Michael Boman
Security Architect, SecureCiRT Pte Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030616/4701d9d0/attachment.sig>

More information about the Snort-users mailing list