Suricata and rules based on MAC address

Information Security Asked by loi219 on December 28, 2021

I’m working on a project to implement SDN in a network. One of my flows is redirecting to the Suricata IDS and the flow works in layer 2 with MAC address.

Since I’ve read that Snort only works in layer 3, I would like to know if it’s possible to write a rule on Suricata that filters on MAC address of source and destination?

One Answer

Suricata implements a sub- and superset of the Snort language, but doesn't add support for matching on the layer 2.

Recently there has been some work on at least tracking and logging MAC addresses (see, so L2 is getting a bit more love.

In general, I would suggest opening a feature ticket describing the use cases.

Answered by Victor Julien on December 28, 2021

Add your own answers!

Related Questions

Help in Suricata rule bitmask syntax problem

1  Asked on January 18, 2021 by khalid


Challenge-Response authentication and SSL

1  Asked on January 16, 2021 by thunderbolt


Network intrusion security warning in router logs

2  Asked on January 15, 2021 by helpme123


Securing Android Application API access

1  Asked on January 13, 2021 by a-android-ucg


Sqlmap and multipart/form-data forms

2  Asked on January 8, 2021 by brigante


Shared Text Content – XSS Safe

1  Asked on January 8, 2021 by newb-4-you-bb


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP