[Snort-users] Unclear on active response MAC address

Research research at ...17107...
Tue Mar 3 09:41:46 EST 2015


Hello,

Under the active response section in the Snort 2.9.7.0 manual, I see the syntax for configuring sniping in passive mode is:

	config response: [device <dev>] [dst_mac <MAC address>] attempts <att>

I don’t understand the purpose of being able to configure the destination MAC address.  Does that change the MAC address in the frames that are sent as sniping runs and if so, why would I be concerned with that being something configurable ?

Thanks



More information about the Snort-users mailing list