Re: [Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

From: Keith R Kilby <krkilby(at)qinetiq.com>
Date: Tue Jun 17 2003 - 05:06:08 EDT

Frank Knobbe wrote:

>On Mon, 2003-06-16 at 23:23, Atul Shrivastava wrote:
Sorry, but I would have disagree, in my experience anybody attaching to the network and stealing a
valid IP from your network would only be detectable by checking the MAC address. So it must be
function of the Intrusion Detection System to report such occurrences.

There are some (expensive) routers and switched hubs that detect MAC address changes and flag
them to the network manager, but I agree for a small network (small office single segment LAN)
this would be a sensible additon to the SNORT arsenal.

>>This feature solves the problem that if anyone comes to your internal
Not strictly true? I believe that any MAC address would be detectable if it is on the same segement
of the LAN as the IDS sensor, broadcasts and domain have litte to do at that levels of the protocol stack.

>It you are concerned about ARP spoofing, I believe Jeff's arpspoof
As with all the functions of SNORT you turn them on or off as you require them for your intrusion
detection requirements. So adding another configurable preprocessor is only adding another tool
that some people may want to use.

Regards
Keith

---

This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Jun 17 05:29:47 2003