Snort mailing list archives
Snort and PPPoE / tun interface
From: UIA Security Team <security () uia net>
Date: Mon, 23 Jun 2003 09:59:36 -0700
All,We are running Snort 2.0 on FreeBSD and are having some trouble getting it to work on PacBell DSL, which is PPPoE.
1. Can snort decode "raw" PPPoE yet? I saw that several people have asked about this type of connection, and Marty posted back in 2/2000 (http://marc.theaimsgroup.com/?l=snort-users&m=98048822028060&w=2) that he would work on a decoder for this. If so, we could use it on the external interface (in our case, fxp0):
/usr/local/bin/snort -i fxp0 -deN -c /etc/ids/snort.conf -l /var/log/snort [...] Snort analyzed 217 out of 217 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 28 (12.903%) ALERTS: 0 UDP: 26 (11.982%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 158 (72.811%) DISCARD: 0 (0.000%) 2. How come Snort won't decode on a tun interface (tun/tap driver)? /usr/local/bin/snort -i tun99 -deN -c /etc/ids/snort.conf -l /var/log/snort Initializing Network Interface tun99 --== Initializing Snort ==-- Initializing Output Plugins! Decoding LoopBack on interface tun99 Data link layer header parsing for this network type isn't implemented yet [...] Snort analyzed 493 out of 493 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 90 (18.256%) ALERTS: 0 UDP: 78 (15.822%) LOGGED: 0 ICMP: 12 (2.434%) PASSED: 0 ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 310 (62.880%) DISCARD: 0 (0.000%) We sent it some events that should have triggered alerts.Any thoughts on this, anyone? Help would be much appreciated. Surely there is someone out there doing this already?
Thanks, --Liam ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and PPPoE / tun interface UIA Security Team (Jun 23)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Rich Adamson (Jun 25)
- Re: Re: Snort and PPPoE / tun interface Erek Adams (Jun 25)
- <Possible follow-ups>
- Re: Snort and PPPoE / tun interface UIA Security Team (Jun 24)
- Re: Snort and PPPoE / tun interface Liam Reimers (Jun 25)