[Snort-users] Layer 2 Rules Capability

Matt Kettler mkettler at ...4108...
Mon Apr 5 08:33:00 EDT 2004

At 12:44 AM 4/5/2004, Kim Wall wrote:
>Does anyone know if there is a plug-in for Snort that allows the ability 
>to create layer-2 rules (i.e. MAC-based)?

AFAIK the only layer-2 component of snort is the arpspoof preprocessor.

Quite frankly, it would be nice if snort added a "ethernet" option to the 
list of protocols, allowing rule writers to go down to the raw ethernet 
frame, instead of starting at the IP header.. Using byte offsets, this 
would facilitate at least crude rules for all kinds of non-IP packet types. 
(ie: ARP, IPX, etc).

However, I'm not sure if the snort code is structured to handle this 
change, I think it's currently set up in a very "starting at layer-3 as 
IPv4" centric way.

More information about the Snort-users mailing list