Snort mailing list archives
BPF Alternative for PPPOE?
From: "Richard A. Burman III" <Richard.Burman () cinagen com>
Date: Mon, 30 Jun 2003 21:38:47 -0400
Hello, I am currently using Snort 2.0 (Build 72), libpcap-0.7.2, tcpdump 3.7.2 all on RedHat 9, with Acid, mysql, and snortcenter, all running nicely on RedHat 9. My question pertains to an issue with BPF and PPPOE. I understand that when tapping a connection between the DSL modem interface and the red Ethernet interface on the Firewall, that the traffic is all encapsulated and snort seems to have no problem reading and discerning based on the ruleset. The problem is after I spent a good evening educating myself on tcpdump, and writing bpf filters and running a few tests on the filters I wrote using tcpdump (i.e. tcpdump -i eth1 -n -F /etc/snort/mybpf.conf (right from page 186 of my fresh new Snort 2.0 book!!!-great book btw)) I discovered that tcpdump cannot discern PPPOE as valid (TRUE) traffic and therefore never will match the filter. I know that there is an option if the Interface on the particular box, is of the SLIP/PPP? nature, you can use the outbound/inbound option to write your filter, but it will not allow me to use that same setting on a standard stealthed interface that is tapping the link. This really only poses an immediate problem for me on my home machine, since the people we service now all have screening routers, but we were planning on rolling out a few small servers to some of our customers who are using DSL. I realize that the typical user environment that would benefit from bpfs are high-bandwidth users, and it helps by keeping unnecessary traffic from ever tasking the engine and risk of packet loss is decreased. Being that DSL is limited in bandwidth, I really doubt that most decent interfaces would ever drop a packet with the bandwidth throttled as such. But the nice feature of bpfs that interested me equally was the ability to relieve altogether the traffic that does not need to be detected by snort. My success in using the snort.conf for excluding hosts either src, dst, or both has been hit and miss. Bpfs just seemed better being that the .conf file is a somewhat dynamic file, and changes are tweaked here and there and bpfs are just there..nice, clean and neat and it is a single place to add exclusions to clean up those unnecessary events. Sorry to ramble, but I wanted to be as specific as possible and hope that someone might have a suggestion as to what I can do. I tried just for grins to see if snort treated the bpf any different than tcpdump did, but did not seem to have any success (with PPPOE). In the meantime, I will read-up a little more on excluding hosts in the snort.conf file and welcome any suggestions. Thank you! Richard A. Burman III Cinagen, Inc.
Current thread:
- BPF Alternative for PPPOE? Richard A. Burman III (Jun 30)
- Re: BPF Alternative for PPPOE? Chris Green (Jul 01)
- RE: BPF Alternative for PPPOE? Richard A. Burman III (Jul 01)
- Re: BPF Alternative for PPPOE? Chris Green (Jul 01)