Re: Detecting and logging attacking MAC address

jeff-krauss · ‎10-20-2004

Have a particular MAC address that I would like to detect and log info on whenever it comes onto the network. I want to log it whenever it's there - not just if it's attacking.

I don't see any general signatures I can use, although there are some ARP attack signatures. Similarly, from the custom signatures, I don't see an engine I can use.

I would greatly appreciate any ideas.

Thanks,

wong34539 · ‎10-28-2004

I am not sure if there is any signhature to monitor Mac address. Try using IP log it will capture the Mac also.

brok3n · ‎10-29-2004

I'd script it to kick off a tcpdump logger when it sees it on the network -- depending on the load on your sensor you could do something with a tcpdump stream like:

tcpdump -qe -i eth0

Which will log src and dst mac of the last hop int.

Output that to a file, poll it for your target MAC, kill the orig tcpdump session and kick off a tcpdump session:

tcpdump -qe -w target.dump -i eth0 ether host XX:XX:XX:XX:XX:XX

(where the X's are your target MAC)

Cisco isn't going to support that method but it will work, and you will get the entirety of all of the packet contents.

-WP!