[Snort-users] detect on specific MAC address
mkettler at ...4108...
Thu Oct 21 11:01:42 EDT 2004
At 09:31 AM 10/21/2004, Jericho Lee wrote:
> We all know that snort can be in NIDS mode to detect all the
> packets in the network, but can snort just detect some specific
> destination address??
> I have a computer with 2 NIC, and I want snort to detect some
> packets send to the second NIC only,
>So other packets without the MAC address in the header the same with the
>2nd NIC MAC address will not be captured by snort,
>Can snort do this?
I'm not 100% I understand your question, but I think I do.. You want snort
to run on only one of two interfaces, and only monitor one MAC (the local mac)
1) use -i to force snort to only listen on the second interface
2) use -p to turn off promisc sniffing
3) use snort command line that has a BPF filter with the "ether
host" keyword to restrict snort to only seeing traffic to/from a particular
mac. See man tcpdump for info on BPF filter formats (tcpdump and snort use
the same command line BPF filter format)
More information about the Snort-users