[Snort-users] Mac Address in alert

Al Lewis (allewi) allewi at ...589...
Wed Jun 7 21:28:00 EDT 2017


It depends on your logging output format/flags.

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Paul Li <paul at ...17768...<mailto:paul at ...17768...>>
Date: Wednesday, June 7, 2017 at 7:47 PM
To: allewi <allewi at ...589...<mailto:allewi at ...589...>>
Cc: 'snort-users' <snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>>
Subject: Re: [Snort-users] Mac Address in alert

Thanks Al. Appreciate it. Looks like one of the parameters Acmg does the trick. Is my understanding correct?

Paul

On Jun 7, 2017 19:38, "Al Lewis (allewi)" <allewi at ...589...<mailto:allewi at ...589...>> wrote:
Its there:

Taken from below:

06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800 len:0x632



alewis at ...17722...:/var/tmp/snort-2.9.9.0-released$ ./bin/snort  -c etc/NATARAJAN.conf -r /tmp/TEST.pcap  -Acmg -k none -q
06/07-19:30:42.272000  [**] [1:1000002:1] Snort alerting on XYZ content [**] [Priority: 0] {TCP} 1.1.1.1:34504<http://1.1.1.1:34504> -> 2.2.2.2:25<http://2.2.2.2:25>
06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800 len:0x632
1.1.1.1:34504<http://1.1.1.1:34504> -> 2.2.2.2:25<http://2.2.2.2:25> TCP TTL:64 TOS:0x0 ID:58912 IpLen:20 DgmLen:1572 DF
***AP*** Seq: 0xB7C96236  Ack: 0xF0F5EF6D  Win: 0x156  TcpLen: 32
TCP Options (3) => NOP NOP TS: 20087867 20087851
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................





Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589...<mailto:allewi at ...589...>







On 6/7/17, 6:29 PM, "Paul Li" <paul at ...17768...<mailto:paul at ...17768...>> wrote:

>Seems someone already asked this question, but Google doesn't give me a
>confirmed answer. So bring this question to the attention to this group:
>
>Is there a way I can get the MacAddress of the src and dst in a Snort alert?
>
>Thanks,
>Paul
>------------------------------------------------------------------------------
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-users mailing list