Background: I''ve been using snort (http://www.snort.org) and ACID (http://www.cert.org/kb/aircert/) to generate network use information. Then I use this data to populate my blacklist file. I''m guessing that a lot of my "blacklist" ip''s are DHCP assigned (since a most attacks against my machine are from my ISP''s DHCP pool), so using the MAC address would be better then using IP''s that change! I am using version 1.4.7 Question: What is the best/easy/most used method of getting a MAC address from an IP address? -thank-you -Kyle A. Gasho ************************************************************************* This document and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain material protected by the attorney-client privilege or other privileges or protections from discovery, such as the physician-patient privilege, or a peer review privilege, such as California Evidence Code Section 1157. If you are not the intended recipient or the individual responsible for delivering the document to the intended recipient, please be advised that you have received this document in error and that any use, dissemination, forwarding, printing, or copying of this document is strictly prohibited. If you have received this document in error, please notify the sender immediately, and destroy all copies of the document. *************************************************************************
On Fri, 2003-10-10 at 12:09, Kyle Gasho wrote:> > I''m guessing that a lot of my "blacklist" ip''s are DHCP assigned (since a > most attacks against my machine are from my ISP''s DHCP pool), so using the > MAC address would be better then using IP''s that change!Are these IP addresses in your subnetwork? If not, you can''t use MAC addresses since the MAC address associated with traffic from these hosts will be that of your ISP''s router.> > I am using version 1.4.7 > > Question: > What is the best/easy/most used method of getting a MAC address from an IP > address?>From the firewall, ping the IP address then see if there is an entry inyour arp cache: arp -na Again, only those hosts in the network defined by your external IP address and netmask can be blocked using their MAC. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Also, take a look at ''arping''. A great utility that works wonderfully with a tailored awk/sed environment. It cuts out the extra work of ping + looking up via the arp table. Additionally, arp tables sometimes arent always correct. ;) There is a debian package, and a gentoo ebuild, afaik. ~silkey Nick Silkey ECE-LRC IT Univ of Texas at Austin Tom Eastep wrote:> On Fri, 2003-10-10 at 12:09, Kyle Gasho wrote: > >>I''m guessing that a lot of my "blacklist" ip''s are DHCP assigned (since a >>most attacks against my machine are from my ISP''s DHCP pool), so using the >>MAC address would be better then using IP''s that change! > > > Are these IP addresses in your subnetwork? If not, you can''t use MAC > addresses since the MAC address associated with traffic from these hosts > will be that of your ISP''s router. > > >>I am using version 1.4.7 >> >>Question: >>What is the best/easy/most used method of getting a MAC address from an IP >>address? > > >>From the firewall, ping the IP address then see if there is an entry in > your arp cache: > > arp -na > > Again, only those hosts in the network defined by your external IP > address and netmask can be blocked using their MAC. > > -Tom