[Snort-users] detect on specific MAC address

Matt Kettler mkettler at ...4108...
Thu Oct 21 11:01:42 EDT 2004


At 09:31 AM 10/21/2004, Jericho Lee wrote:
>HI List,
>
>            We all know that snort can be in NIDS mode to detect all the 
> packets in the network, but can snort just detect some specific 
> destination address??
>            I have a computer with 2 NIC, and I want snort to detect some 
> packets send to the second NIC only,
>So other packets without the MAC address in the header the same with the 
>2nd NIC MAC address will not be captured by snort,
>Can snort do this?

I'm not 100% I understand your question, but I think I do.. You want snort 
to run on only one of two interfaces, and only monitor one MAC (the local mac)

Some suggestions:

         1) use -i to force snort to only listen on the second interface
         2) use -p to turn off promisc sniffing
         3) use snort command line that has a BPF filter with the "ether 
host" keyword to restrict snort to only seeing traffic to/from a particular 
mac. See man tcpdump for info on BPF filter formats (tcpdump and snort use 
the same command line BPF filter format)





More information about the Snort-users mailing list