Snort mailing list archives
Re: Snort extension for layer 2 attacks
From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 2 Mar 2020 18:00:01 +0000
Hello, You may want to have a look at snort3. It was designed to make it easy to extend. Check the “extending.txt” file located within the download for details. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Awais Ali via Snort-devel <snort-devel () lists snort org> Reply-To: Awais Ali <awaisali901 () gmail com> Date: Monday, March 2, 2020 at 10:37 AM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: Re: [Snort-devel] Snort extension for layer 2 attacks I know there is ARP preprocessor in snort. But I want to detect attacks in special layer 2 protocols like Goose, CDP etc. If I want to detect the attacks in the payload of the Goose protocol then there is no such solution since snort detects payload of layer 3 and above. There are many such special protocols in in layer 2 where if you want to detect regular extensions/content in the payload then there is no such solution. I want to extend snort in this domain by writing decoders of that particular protocol the way we have for other protocols like tcp/udp above layer 3. I need guidelines and little bit technical support from you guys or any better solution to do this task using snort. I hope you will cooperate in this regard. I am looking forward to hearing from you. Thanks, Awais Ali On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com<mailto:jesler () cisco com>> wrote: We already have a layer 2 tool, check out the arpspoof preprocessor. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>> wrote: Hello all, I am master student working in siemens AG, now a days I am working on possible extension of snort for layer 2 attacks. As per my understanding, I need to write decoder for that particular protocol and preprocessor as well. Can someone guide me how I can write decoder for any given layer 2 protocol? The way snort parses the protocols for layer 3 and above. I hope you will cooperate in this regard. Thanks, Awais Ali _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org<mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Al Lewis (allewi) via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Nicholas Mavis (Mar 02)
- Re: Snort extension for layer 2 attacks Chamara Devanarayana via Snort-devel (Mar 05)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 05)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 06)
- Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)