Snort mailing list archives
Re: Using snort to detect ethercat
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 27 Jan 2011 08:34:12 -0500
Unfortunately, Snort rules only deal with things at the IP layer or above. The arpspoof preprocessor may be helpful, and you may see some decoder alerts if you turn on decoder.rules in your snort.conf (these aren't actually regular rules, just stubs to enable the decoder process to generate events on malformed packets), but that's about it. On Thu, Jan 27, 2011 at 6:04 AM, Bouma, Wobbe <wobbe.bouma () nl imptob com>wrote:
Hello All, I’ve just setup snort on Ubuntu 10.04.1 using the manual on the snort.orgwebsite. (I also added B.A.S.E.) So you can say I’m pretty new to snort, and therefore have lots of questions. My main goal of this little project on mine is to detect layer 2 ethercat frames and then sent me an email alert. Last week some engineers hooked up some beckhoff equipment to the network and that caused a lot of ethercat broadcast traffic. This caused some problems, for example a few switches stopped responding and the wireless AP’s didn’t forward DHCP anymore. Is it possible to detect layer 2 ethercat frames with Snort and if so can someone help me out with a rule for this? And what would be the best way to get email alerts? Kind regards, WB ------------------------------ Imperial Tobacco Limited and Group Companies www.imperial-tobacco.com This email is confidential and may contain information that is privileged and exempt from disclosure by law. If you have received it in error, please contact the sender immediately by return email and then delete it from your system; you should not copy it or disclose its contents to anyone. Imperial Tobacco Limited and Group Companies reserve the right to monitor all email communications through their networks. Emails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. Anyone who communicates with us by email is taken to accept these risks. ------------------------------ ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort to detect ethercat Bouma, Wobbe (Jan 27)
- Re: Using snort to detect ethercat Alex Kirk (Jan 27)
- Re: Using snort to detect ethercat Martin Holste (Jan 29)