Re: PPPoE problem with Snort on OpenBSD 4.7.

[Schrodinger <schrodinger () konundrum org>]

On Mon, Aug 09, 2010 at 04:16:54PM -0400, Russ Combs wrote:
[...]

>      From what I can tell the problem is that in src/snort.c there is no
>      support for 'DLT_PPP_ETHER'.
>
>    I believe you nailed this one.  Not sure how back the problem goes, but
>    the fix will be in Snort 2.9.0.  If you are comfortable reading source,
>    hopefully you can download the latest tarball and build from there.  The
>    fix won't be in that tarball, but it should be in the next.

Cheers Russ.

I tried to patch snort.c myself but I either missed something or there
are additional complexities that I'm not aware of but the following
changes resulted in a core dump as soon as snort began inspecting 
packets. I thought that the issue might have been my firewall being 
under-performed for snort, which could also still be the case but it 
runs fine on the same box when sniffing traffic on the inside ethernet 
interface.

--- snort.c-dist        Sun Aug  8 23:38:37 2010
+++ snort.c     Sun Aug  8 23:51:55 2010
@@ -2926,6 +2926,17 @@
             grinder = DecodeI4LCiscoIPPkt;
             break;
 #endif
+#ifdef DLT_PPP_ETHER
+       case DLT_PPP_ETHER:
+               if (!ScReadMode())
+               {
+                       LogMessage("Decoding PPPoE on interface %s\n",
+                               PRINT_INTERFACE(pcap_interface));
+               }
+
+               grinder = DecodePPPoEPkt;
+               break;
+#endif
 
         default:
             /* oops, don't know how to handle this one */

Conor.

>      Can you help with this ? If you need any more information please ask.
>
>      Many thanks,
>      Conor.
>      --
>      +---------------------------------------------------------------+
>      It was a new day yesterday, but it's an old day now.
>      MSN: schro5 () hotmail com
>      ICQ: 112562229
>      GPG: http://www.konundrum.org/schro.asc
>      ------------------------------------------------------------------------------
>      This SF.net email is sponsored by
>
>      Make an app they can't live without
>      Enter the BlackBerry Developer Challenge
>      http://p.sf.net/sfu/RIM-dev2dev
>      _______________________________________________
>      Snort-users mailing list
>      Snort-users () lists sourceforge net
>      Go to this URL to change user options or unsubscribe:
>      https://lists.sourceforge.net/lists/listinfo/snort-users
>      Snort-users list archive:
>      http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
+---------------------------------------------------------------+
It was a new day yesterday, but it's an old day now.
MSN: schro5 () hotmail com
ICQ: 112562229
GPG: http://www.konundrum.org/schro.asc

Attachment: _bin
Description:

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users