[Snort-users] Logging MAC address with snort, barnyard2 & MySQL

David Guimaraes skysbsb at ...11827...
Sun Aug 22 17:34:57 EDT 2010

I searched about this some time ago, also without finding answers ..

The only way I found to recover the MACs of hosts, is going directly
to the file unified2 snort, and run the following statement:

$ cd /var/log/snort
# Generate the pcap format from unified2 output log
$ barnyard2 -c barn-pcap-log.conf -o snort2.ethX.u2.XXXX -l

# Filter only the finding packet
$ tcpdump -e -n -r tcpdump.log.XXXX host WWW and port ZZZ and host XXX

# Barnyard2 pcap output file
$ cat barn-pcap-log.conf
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config reference_file:      /etc/snort/reference.config
config sid_file:                /etc/snort/sid-msg.map
input unified2
output log_tcpdump: tcpdump.log

Or, of course, change the code of the database output plugin of
barnyard2 to include the ethernet frame packet logs in the database
and change BASE to interprete the ethernet frame.

On Fri, Aug 20, 2010 at 11:11 AM, Guillaume Blanc
<guillaume.b.blanc at ...11827...> wrote:
> Hello everyone,
> I’m actually trying to get the MAC address of the IP showed in snort alert,
> but when I download the pcap packet from BASE the only mac address that i’ve
> got are 11:22:33:44:55:66 and de:ad:ca:fe:ba:be (dead:cafe:babe)…
> I’ve searched around and found the option -e to activate in snort. But no
> more result. I also use barnyard2 and i tried to activate the same option.
> I’ve found this post who was really interesting
> "http://www.infosecramblings.com/2008/12/02/snort-base-mysql-and-a-deadcafebabe/"
> And in the comment someone said it was possible with barnyard2 apparently.
> Do you have any clue on i can have those MAC addresses ?
> Thank You
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

David Gomes Guimarães

More information about the Snort-users mailing list