Snort mailing list archives
Re:Snort & Cisco Catalyst ISL
From: "limbo " <limbo () usa com>
Date: Thu, 09 May 2002 21:40:06 -0500
Yep. I have fixed this problem in snort 1.8.4 :) U know, the ethernet frame is encapsulated with a 26 bytes header and a 4 bytes tail(CRC checksum) according as CISCO-ISL. SO, we only need to modify DecodeEthPkt() in decode.c :) decode.c /* $Id: decode.c,v 1.48.2.7 2002/03/16 06:31:16 roesch Exp $ */ ...... void DecodeEthPkt(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt) { ...... /* lay the ethernet structure over the packet data */ p->eh = (EtherHdr *) pkt; #ifdef DEBUG ErrorMessage("%X %X\n", *p->eh->ether_src, *p->eh->ether_dst); #endif /******************************************************/ /* check to see if we've got an CISCO ISL packet. */ /* Added by limbo & flag. 2002/05/08 */ if ( (*(pkt+14) == 0xaa) && (*(pkt+15) == 0xaa) && (*(pkt+16) == 0x3) ) { #ifdef DEBUG PrintNetData(stdout, p->pkt, cap_len); ClearDumpBuf(); #endif /* 40 = 26 + 14; 44 = 40 + 4 */ DecodeIP(p->pkt + 40, cap_len - 44, p); return; } /*****************************************************/ /* grab out the network type */ switch(ntohs(p->eh->ether_type)) { ........ good luck limbo ---------------------------------------------------- From: Dave Cundiff (dave.cundiff () exchange1 cybx net) Date: Mon Mar 04 2002 - 07:50:08 CST I'm looking at setting up snort for my network here but have a quick question that I can't seem to answer from any of the documentation. I'm going to be using a hardware sniffer to copy the ISL trunk going between my main switch and my router to a snort box. This should allow snort to sniff all traffic on my network. However since it's an ISL trunk all the packets will have an additional header on them containing what vlan the packet is for. So my question is can or is there some way that Snort can ignore that first header? Or will it just not be able to make any sense out of the packet? Dave Cundiff Systems Administrator World Wide Net, Inc. http://www.wwnet.net -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re:Snort & Cisco Catalyst ISL limbo (May 09)