Snort rules content for src and dsr address

Question

If I want to alert the traffic with the snort rule alert:

Ethernet II, Src: Xircom_c5:7c:38 (00:10:a4:c5:7c:38), Dst: 3comCorp_a8:61:24 (00:60:08:a8:61:24)

Try to use:

alert tcp any any -> any any (content:"|00 60 08 a8 61 24|"; content:"|00 10 a4 c5 7c 38|"; nocase; msg:"Alert")

It looks not working.....

Answer 1

Snort does not work at MAC address level, it works with TCP, UDP, ICMP and IP protocols.

Your rule is a tcp rule and therefore will have a minimum 20 byte header, possibly up to 60 bytes depending on options.

Since snort content rules only match in the payload, this means that each of your content terms content:"|00 60 08 a8 61 24|" and content:"|00 10 a4 c5 7c 38|" will only match after the initial header (20 - 60 bytes).