de:ad:ca:fe:ba:be

BASE-user
dkim777
2007-12-12
2013-06-03
  • dkim777

    dkim777 - 2007-12-12

    somehow all my alerts have following source and destination MAC addresses.

    source  11:22:33:44:55:66      dest.   de:ad:ca:fe:ba:be

    is the snort not getting correct MAC address or is BASE not reading correct one and just displaying default MAC?

    Thanks.

     
    • Kevin Johnson

      Kevin Johnson - 2007-12-13

      My first guess would be Snort is inserting that, since I am not aware of any place in BASE that would display it.

      Can you check in the DB to make sure?

      thanks
      Kevin

       
    • dkim777

      dkim777 - 2007-12-13

      Do you know what table does Snort stores MAC addresses?

      I browsed "iphdr" table using phpadmin but it only shows somthing like below,

      Full Texts      sid     cid     ip_src     ip_dst Ascending     ip_ver     ip_hlen     ip_tos     ip_len     ip_id     ip_flags     ip_off     ip_ttl     ip_proto     ip_csum
          Edit     Delete     1     100     2655425135     2655398002     4     5     192     159     53577     0     0     0     255     61416
          Edit     Delete     1     101     2655425135     2655398002     4     5     192     160     53586     0     0     0     255     61406
          Edit     Delete     1     102     2655425135     2655398002     4     5     192     161     53598     0     0     0     255     61393
          Edit     Delete     1     103     2655425135     2655398002     4     5     192     160     53606     0     0     0     255     61386
          Edit     Delete     1     75     2655425078     2655398250     4     5     0     1500     16789     0     0     128     6     47961

      any good sql query commands I can issue?
      Thanks.

       
    • dkim777

      dkim777 - 2007-12-13

      I should add that I see those weird MAC address when I download PCAP files from BASE and look at it from ethereal.

       
    • Juergen Leising

      Juergen Leising - 2007-12-15

      Hello,

      you do know, that BASE can not read the linklayer type from snort, don't you?

      base_payload.php assumes therefore that
      the link type is ethernet(10MB).

      If you use a different link layer, you
      must adjust the following line in base_payload.php: For example, if you
      need DLT_LINUX_SLL (the number 113 can be found in /usr/include/pcap-bpf.h):

      -       $hdr['linktype'] =      pack('L', 1);           /* unsigned long  (always 32 bit, machine byte order) */
      +       $hdr['linktype'] =      pack('L', 113);           /* unsigned long  (always 32 bit, machine byte order) */

      Bye, bye

      Juergen

       
    • dkim777

      dkim777 - 2007-12-17

      What does it mean by DLT_LINUX_SLL  or Linux cooked capture?
      does it mean, captured file on linux?

      Is there a separate one for 100MB linktype?  I wasn't able to find one on pcap-bpf.h

      I wasn't aware that BASE acn't read linklayer type....do you know whether ACID was able to or not?
      what is the easiest to find the MAC address of an alert then?

      Thanks.
      sorry for so many questions.

       
      • Juergen Leising

        Juergen Leising - 2007-12-17

        Hello,

        that was just an example why wrong link
        layer infos could should up.

        DLT_LINUX_SLL is a fake protocol used
        by libpcap for those protocols, where
        it receives (or knows) no complete link layer data. This is the case, for example with PPP lines, ATM lines, ISDN lines, but also when you capture on interface "any" (which does not really exist).

        And no, you do not need to change anything with ethernet 100MB.

        Actually, it is not the fault of BASE,
        it is the fault of those ones who designed the database scheme of snort:

        They simply left out providing the database with information about the link layer type.

        And where do those obviously synthetic
        MAC addresses come from in your case?

        I don't know. There are mainboards out
        there with onboard network controllers
        that have a default MAC address 00:00:00:00:00:00. This causes problems, and therefore either software
        or any admin simply sets any artificial
        MAC.

        And with wireless cards some people set
        all kinds of wrong MAC addresses when
        they connect secretely to the routers
        of other people who are not aware of
        that... Maybe you use a router where
        there is not configured anything at all...

        Anyway, in your case you should capture your network traffic not just by means of snort, but at the same time by means of
        a second sniffer (tcpdump, tshark/wireshark) in order to make sure
        that the data presented by snort and BASE is accurate.

        Bye, bye

        Juergen

         

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks