Information Security Asked by loi219 on December 28, 2021
I’m working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.
Since I’ve read that Snort only works in layer 3, I would like to know if it’s possible to write a rule on Suricata that filters on MAC address of source and destination?
Suricata implements a sub- and superset of the Snort language, but doesn't add support for matching on the layer 2.
Recently there has been some work on at least tracking and logging MAC addresses (see https://github.com/OISF/suricata/pull/4975), so L2 is getting a bit more love.
In general, I would suggest opening a feature ticket describing the use cases.
Answered by Victor Julien on December 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP