somehow all my alerts have following source and destination MAC addresses.
source 11:22:33:44:55:66 dest. de:ad:ca:fe:ba:be
is the snort not getting correct MAC address or is BASE not reading correct one and just displaying default MAC?
My first guess would be Snort is inserting that, since I am not aware of any place in BASE that would display it.
Can you check in the DB to make sure?
Do you know what table does Snort stores MAC addresses?
I browsed "iphdr" table using phpadmin but it only shows somthing like below,
Full Texts sid cid ip_src ip_dst Ascending ip_ver ip_hlen ip_tos ip_len ip_id ip_flags ip_off ip_ttl ip_proto ip_csum
Edit Delete 1 100 2655425135 2655398002 4 5 192 159 53577 0 0 0 255 61416
Edit Delete 1 101 2655425135 2655398002 4 5 192 160 53586 0 0 0 255 61406
Edit Delete 1 102 2655425135 2655398002 4 5 192 161 53598 0 0 0 255 61393
Edit Delete 1 103 2655425135 2655398002 4 5 192 160 53606 0 0 0 255 61386
Edit Delete 1 75 2655425078 2655398250 4 5 0 1500 16789 0 0 128 6 47961
any good sql query commands I can issue?
I should add that I see those weird MAC address when I download PCAP files from BASE and look at it from ethereal.
you do know, that BASE can not read the linklayer type from snort, don't you?
base_payload.php assumes therefore that
the link type is ethernet(10MB).
If you use a different link layer, you
must adjust the following line in base_payload.php: For example, if you
need DLT_LINUX_SLL (the number 113 can be found in /usr/include/pcap-bpf.h):
- $hdr['linktype'] = pack('L', 1); /* unsigned long (always 32 bit, machine byte order) */
+ $hdr['linktype'] = pack('L', 113); /* unsigned long (always 32 bit, machine byte order) */
What does it mean by DLT_LINUX_SLL or Linux cooked capture?
does it mean, captured file on linux?
Is there a separate one for 100MB linktype? I wasn't able to find one on pcap-bpf.h
I wasn't aware that BASE acn't read linklayer type....do you know whether ACID was able to or not?
what is the easiest to find the MAC address of an alert then?
sorry for so many questions.
that was just an example why wrong link
layer infos could should up.
DLT_LINUX_SLL is a fake protocol used
by libpcap for those protocols, where
it receives (or knows) no complete link layer data. This is the case, for example with PPP lines, ATM lines, ISDN lines, but also when you capture on interface "any" (which does not really exist).
And no, you do not need to change anything with ethernet 100MB.
Actually, it is not the fault of BASE,
it is the fault of those ones who designed the database scheme of snort:
They simply left out providing the database with information about the link layer type.
And where do those obviously synthetic
MAC addresses come from in your case?
I don't know. There are mainboards out
there with onboard network controllers
that have a default MAC address 00:00:00:00:00:00. This causes problems, and therefore either software
or any admin simply sets any artificial
And with wireless cards some people set
all kinds of wrong MAC addresses when
they connect secretely to the routers
of other people who are not aware of
that... Maybe you use a router where
there is not configured anything at all...
Anyway, in your case you should capture your network traffic not just by means of snort, but at the same time by means of
a second sniffer (tcpdump, tshark/wireshark) in order to make sure
that the data presented by snort and BASE is accurate.
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.