A friend of mine came to me today with an interesting problem. He recently set up a Snort sensor and was using Base as his front-end. He was getting some alerts and he wanted to track down the workstation they were coming from. To do this he needed the MAC address of the offending workstation.
This should be easy. Snort is capturing all the information he needs right? He fires up his handy dandy Base interface, selects the alert, and tells Base he wants the payload in pcap format. Pcap format is a format for storing information captured from a network interface. It can be viewed using many different programs like Wireshark, a graphical network traffic analyzer, and tcpdump, a command line network traffic analyzer.
Well, when he opens the file with Wireshark, the source MAC address was 11:22:33:44:55:66 and the destination MAC address was de:ad:ca:fe:ba:be. That didn't seem right so he checks a couple other alerts. They all have the same source and destination MAC addresses. That means one of two things. He either has a miracle network or the data is not real.
I didn't have an answer for him so I posted a question on Twitter. Within an hour, I had the answer we were looking for. @clayshek remembered having a similar issue. He went to the trouble to dig into the Base source code and found where those values are hard coded into the subroutine that builds the pcap file for downloading. Odd, but mystery solved....or is it?
I couldn't think for the life of me why the developers of Base would be hard coding the MAC addresses into a payload download. So, this evening I installed Snort and Base and started digging. It turns out the issue is not with Base.
As near as I can tell, Snort does not log link layer information to the database when mysql logging is used. Don't know why and can't find any way to turn it on or configure it to do so. However, it does log this information to the file system in you have it setup to do so.
Moral of the story: If you want to get MAC address information from snort captures, you better make sure you are logging to a file system in addition to your database. Otherwise, you are going to be looking at Dead Cafe Babes all day 
Kevin
{ 2 comments… read them below or add one }
Great post! Just wanted to let you know you have a new subscriber- me!
This is why the best path of action is always to use Unified/Unified2 then use barnyard/barnyard2 to read said unified files and write to your mysql instance…