Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re:Snort & Cisco Catalyst ISL

From: "limbo " <limbo () usa com>
Date: Thu, 09 May 2002 21:40:06 -0500
Yep. I have fixed this problem in snort 1.8.4 :)
U know, the ethernet frame is encapsulated with a 26 bytes header and a 4 bytes tail(CRC checksum) according as 
CISCO-ISL. SO, we only need to modify DecodeEthPkt() in decode.c :)
 

decode.c
/* $Id: decode.c,v 1.48.2.7 2002/03/16 06:31:16 roesch Exp $ */ 
......
void DecodeEthPkt(Packet * p, struct pcap_pkthdr * pkthdr, u_int8_t * pkt)
{
   ......
    /* lay the ethernet structure over the packet data */
    p->eh = (EtherHdr *) pkt;

#ifdef DEBUG
    ErrorMessage("%X   %X\n", *p->eh->ether_src, *p->eh->ether_dst);
#endif

/******************************************************/
/* check to see if we've got an CISCO ISL packet. */
/* Added by limbo & flag. 2002/05/08 */

     if ( (*(pkt+14) == 0xaa) && (*(pkt+15) == 0xaa) && (*(pkt+16) == 0x3) ) {
     
#ifdef DEBUG
       PrintNetData(stdout, p->pkt, cap_len);
       ClearDumpBuf();
#endif
       /* 40 = 26 + 14;  44 = 40 + 4  */
       DecodeIP(p->pkt + 40, cap_len - 44, p);
       return;
    }
/*****************************************************/    
    /* grab out the network type */
    switch(ntohs(p->eh->ether_type))
    {
       ........


good luck

limbo

----------------------------------------------------
From: Dave Cundiff (dave.cundiff () exchange1 cybx net)
Date: Mon Mar 04 2002 - 07:50:08 CST 

I'm looking at setting up snort for my network here but have a quick 
question that I can't seem to answer from any of the documentation. I'm 
going to be using a hardware sniffer to copy the ISL trunk going between my 
main switch and my router to a snort box. This should allow snort to sniff 
all traffic on my network. However since it's an ISL trunk all the packets 
will have an additional header on them containing what vlan the packet is 
for. 


So my question is can or is there some way that Snort can ignore that first 
header? Or will it just not be able to make any sense out of the packet? 


Dave Cundiff 
Systems Administrator 
World Wide Net, Inc. 
http://www.wwnet.net 


-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: