Snort mailing list archives

Re: Snort extension for layer 2 attacks

From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 2 Mar 2020 18:00:01 +0000

Hello,

You may want to have a look at snort3. It was designed to make it easy to extend.

Check the “extending.txt” file located within the download for details.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Awais Ali via Snort-devel <snort-devel () lists 
snort org>
Reply-To: Awais Ali <awaisali901 () gmail com>
Date: Monday, March 2, 2020 at 10:37 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] Snort extension for layer 2 attacks


I know there is ARP preprocessor in snort. But I want to detect attacks in special layer 2 protocols like Goose, CDP 
etc.
If I want to detect the attacks in the payload of the Goose protocol then there is no such solution since snort detects 
payload of layer 3 and above.
There are many such special protocols in in layer 2 where if you want to detect regular extensions/content in the 
payload then there is no such solution.

I want to extend snort in this domain by writing decoders of that particular protocol the way we have for other 
protocols like tcp/udp above layer 3.
I need guidelines and little bit technical support from you guys or any better solution to do this task using snort.

I hope you will cooperate in this regard. I am looking forward to hearing from you.

Thanks,
Awais Ali

On Mon, 2 Mar 2020, 15:35 Joel Esler (jesler), <jesler () cisco com<mailto:jesler () cisco com>> wrote:
We already have a layer 2 tool, check out the arpspoof preprocessor.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com


On Feb 28, 2020, at 12:56 PM, Awais Ali via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists 
snort org>> wrote:

Hello all,
I am master student working in siemens AG, now a days I am working on possible extension of snort for layer 2 attacks. 
As per my understanding, I need to write decoder for that particular protocol and preprocessor as well.

Can someone guide me how I can write decoder for any given layer 2 protocol? The way snort parses the protocols for 
layer 3 and above. I hope you will cooperate in this regard.

Thanks,
Awais Ali
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org<mailto:Snort-devel () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
- Re: Snort extension for layer 2 attacks Joel Esler (jesler) via Snort-devel (Mar 02)
  - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Al Lewis (allewi) via Snort-devel (Mar 02)
    - Re: Snort extension for layer 2 attacks Nicholas Mavis (Mar 02)
    - Re: Snort extension for layer 2 attacks Chamara Devanarayana via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 05)
    - Re: Snort extension for layer 2 attacks Awais Ali via Snort-devel (Mar 06)