TransWikia.com

Suricata and rules based on MAC address

Information Security Asked by loi219 on December 28, 2021

I’m working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.

Since I’ve read that Snort only works in layer 3, I would like to know if it’s possible to write a rule on Suricata that filters on MAC address of source and destination?

One Answer

Suricata implements a sub- and superset of the Snort language, but doesn't add support for matching on the layer 2.

Recently there has been some work on at least tracking and logging MAC addresses (see https://github.com/OISF/suricata/pull/4975), so L2 is getting a bit more love.

In general, I would suggest opening a feature ticket describing the use cases.

Answered by Victor Julien on December 28, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP