[Oisf-users] broadcast treshold rule

Cooper F. Nelson cnelson at ucsd.edu
Tue May 5 17:09:18 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you mean detecting ethernet frames with an address of
FF:FF:FF:FF:FF:FF, I don't think that is currently possible with
suricata as I do not believe the rule engine can match by MAC address.

What you could do would be to write rules to detect the IP (or IPs) of
the broadcast address for individual vlans.  You could also set an
environment variable for all the broadcast addresses on your network.

If you really need to detect the FF:FF:FF:FF:FF:FF packets, you might be
able to write an IP tables rule to forward those packets to a loopback
address (e.g. 127.255.255.255) and then write a threshold rule to detect
that.

- -Coop

On 5/5/2015 8:59 AM, Miso Mijatovic wrote:
> Hi,
> 
> it is possible to write a rule that alerts if i have broadcast traffic -
> layer 2 - over a fix threshold?
> 
> Regards,
> Miso
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVSPk+AAoJEKIFRYQsa8FWT+kIAJTyaAY6nO4lxJFhyVdgd+nG
HDz1I+qF92EE57SBQwyFwD8ETUoJe++K83ron0PINvZS4OZ1057B95qOYgIWFeBY
WNmIzqC76UYpm13FvjohGneM6DYmk9KUezXhtOACQkuyFs0OTzfuDDg02/WTd/PP
rtMKOXN9CGjLAhyRcv0qP0ytc/9pMqLESgV4fGOdDJbl/uOFVZQBjUY6QievFaAt
Z+kkgxjx0X9BjwJj7MlTym8FI3J81Ro4Y0RMG0C0CaB3ymdr9J7nb6/ezmWGiTA3
D+1veB3Q89Zf5DNTLvyuql+enoHqlD5OU1cD/rDftur7uSjd2rB5YMrKFhB2axo=
=dx2R
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list