[Snort-users] Layer 2 Rules Capability
mkettler at ...4108...
Mon Apr 5 08:33:00 EDT 2004
At 12:44 AM 4/5/2004, Kim Wall wrote:
>Does anyone know if there is a plug-in for Snort that allows the ability
>to create layer-2 rules (i.e. MAC-based)?
AFAIK the only layer-2 component of snort is the arpspoof preprocessor.
Quite frankly, it would be nice if snort added a "ethernet" option to the
list of protocols, allowing rule writers to go down to the raw ethernet
frame, instead of starting at the IP header.. Using byte offsets, this
would facilitate at least crude rules for all kinds of non-IP packet types.
(ie: ARP, IPX, etc).
However, I'm not sure if the snort code is structured to handle this
change, I think it's currently set up in a very "starting at layer-3 as
IPv4" centric way.
More information about the Snort-users