Snort mailing list archives
Re: no payload on ppp0
From: Erek Adams <erek () snort org>
Date: Fri, 24 Oct 2003 14:44:03 -0400 (EDT)
On Fri, 24 Oct 2003, Jochen Vogel wrote:
hi, iuse redhat9 with iptables and pppoe. i start snort with /usr/local/bin/snort -c /etc/snort/snort.conf -d -D and log the unified log file with barnyard into mysql and to dump.log if i use eth1 i can see payload [**] [1:407:4] ICMP Destination Unreachable (Undefined Code!) [**] [Classification: Misc activity] [Priority: 3] Event ID: 2 Event Reference: 2 10/24/03-10:56:53.873905 194.9.167.200 -> 192.168.63.1 ICMP TTL:52 TOS:0xC4 ID:47986 IpLen:20 DgmLen:74 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE 00 00 00 00 45 84 00 2E 27 D3 00 00 74 11 B4 EC ....E...'...t... C0 A8 3F 01 C2 09 A7 C8 0C 40 12 39 00 1A 6A 61 ..?......@.9..ja E3 9A 5F 74 52 6D 93 CB 93 75 0E 52 26 1A 4F C6 .._tRm...u.R&.O. CC 73 .s =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ if i use ppp0 i cant see payload [**] [1:409:4] ICMP Echo Reply (Undefined Code!) [**] [Classification: Misc activity] [Priority: 3] Event ID: 48 Event Reference: 48 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Snort can't decode PPPoE fully. Use eth1 instead. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- no payload on ppp0 Jochen Vogel (Oct 24)
- Re: no payload on ppp0 Erek Adams (Oct 24)
- AW: no payload on ppp0 Jo (Oct 25)
- Re: no payload on ppp0 Erek Adams (Oct 24)