[Snort-users] Mac Address in alert

Paul Li paul at ...17768...
Thu Jun 8 10:29:20 EDT 2017


Hi Al,

Somehow I missed one of your messages about, "what you do with mac ? ...",
until I saw it on daily digest. Mine is a concern case actually I want to
identify my own side's devices by Mac Address: I use one Snort server
monitor multiple sub-nets whose devices could have the same internal IPs.

Follow up this question, I'm currently using Barnyard2 to spool alerts to
DB, but looks like Barnyard2 doesn't have Mac Address in its log at all, or
at least I don't see its DB schema have Mac Address. So wondering if
Barnyard can load alerts with Mac Address to DB, and if Barnyard2 doesn't,
what's the best way to do it?

Thanks,
Paul


On Wed, Jun 7, 2017 at 9:28 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

> It depends on your logging output format/flags.
>
> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node21.html
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi at ...589...
>
> From: Paul Li <paul at ...17768...>
> Date: Wednesday, June 7, 2017 at 7:47 PM
> To: allewi <allewi at ...589...>
> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Mac Address in alert
>
> Thanks Al. Appreciate it. Looks like one of the parameters Acmg does the
> trick. Is my understanding correct?
>
> Paul
>
> On Jun 7, 2017 19:38, "Al Lewis (allewi)" <allewi at ...589...> wrote:
>
> Its there:
>
> Taken from below:
>
> 06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800
> len:0x632
>
>
>
> alewis at ...17722...:/var/tmp/snort-2.9.9.0-released$ ./bin/snort  -c
> etc/NATARAJAN.conf -r /tmp/TEST.pcap  -Acmg -k none -q
> 06/07-19:30:42.272000  [**] [1:1000002:1] Snort alerting on XYZ content
> [**] [Priority: 0] {TCP} 1.1.1.1:34504 -> 2.2.2.2:25
> 06/07-19:30:42.272000 07:08:09:0A:0B:0C -> 01:02:03:04:05:06 type:0x800
> len:0x632
> 1.1.1.1:34504 -> 2.2.2.2:25 TCP TTL:64 TOS:0x0 ID:58912 IpLen:20
> DgmLen:1572 DF
> ***AP*** Seq: 0xB7C96236  Ack: 0xF0F5EF6D  Win: 0x156  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 20087867 20087851
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>
>
>
>
>
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at ...589...
>
>
>
>
>
>
>
> On 6/7/17, 6:29 PM, "Paul Li" <paul at ...17768...> wrote:
>
> >Seems someone already asked this question, but Google doesn't give me a
> >confirmed answer. So bring this question to the attention to this group:
> >
> >Is there a way I can get the MacAddress of the src and dst in a Snort
> alert?
> >
> >Thanks,
> >Paul
> >-----------------------------------------------------------
> -------------------
> >Check out the vibrant tech community on one of the world's most
> >engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> >Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>



More information about the Snort-users mailing list