Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

From: Frank Knobbe <fknobbe(at)knobbeits.com>
Date: Tue Jun 17 2003 - 01:14:28 EDT

On Mon, 2003-06-16 at 23:23, Atul Shrivastava wrote:
> The feature is such that we can make rule based on the MAC address. I

To discover new MAC addresses, use arpwatch. It is not the role of an IDS to detect new MACs.

> This feature solves the problem that if anyone comes to your internal

Keep in mind that the rogue laptop would have to be plugged into the same broadcast domain as the IDS, otherwise you won't detect the new MAC address. You can however detect new IP addresses and you can detect illegal activity.

It you are concerned about ARP spoofing, I believe Jeff's arpspoof preprocessor takes care of that.

Don't try to put too many functions in one piece of software. Instead, create an arsenal of tools dedicated to certain tasks. Snort does not detect when your hard drives run out of disk space either. Sometimes I get the feeling that people want to put too much functionality into one device, and try to shape it like a silver bullet. It won't work. (Firewalls and access control and IDS and virus scanning and content management and PKI and identity management and network forensics..... all in one box? ;)

Regards,
Frank  

---

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-develReceived on Tue Jun 17 01:27:50 2003