AW: AW: no payload on ppp0

[Jochen Vogel <jvogel () it-sec de>]

if i do an snort -vd i can see payload on all interfaces
eth0, eth1 and ppp0

> sorry.
> ppp0 & eth0 are on the same interface.
>
>
> > You could try a Tap between ppp0 and eth0.  That might solve your
> > problem without too much work. Google "network taps" and you
> > should get a good variety of info and vendors to check out.  One
> > note, if you tap you will need to build a snort box with 2
> > sniffer interfaces.  One for receive traffic and one for send
> > traffic as the tap will spilt them up on two different lines.
> >
> > Shawn
> >
> > > > > <mail () cortical de> 10/25/03 04:43am >>>
> > hi,
> >
> > this iy my topo
> >
> >     |
> >    ppp0
> >    eth0
> >     |
> > firewall-eth2-
> >     |
> >    eth1
> >
> > -how can i use snort on the external side with payload?
> >
> >
> >
> > > -----Ursprungliche Nachricht-----
> > > Von: snort-users-admin () lists sourceforge net
> > > [mailto:snort-users-admin () lists sourceforge net]Im 
> Auftrag von Erek
> > > Adams
> > > Gesendet: Freitag, 24. Oktober 2003 20:44
> > > An: Jochen Vogel
> > > Cc: snort-users () lists sourceforge net
> > > Betreff: Re: [Snort-users] no payload on ppp0
> > >
> > >
> > > On Fri, 24 Oct 2003, Jochen Vogel wrote:
> > >
> > > > hi,
> > > >
> > > > iuse redhat9 with iptables and pppoe.
> > > >
> > > > i start snort with /usr/local/bin/snort -c 
> /etc/snort/snort.conf -d -D
> > > > and log the unified log file with barnyard into mysql 
> and to dump.log
> > > > if i use eth1 i can see payload
> > > > [**] [1:407:4] ICMP Destination Unreachable (Undefined 
> Code!) [**]
> > > > [Classification: Misc activity] [Priority: 3]
> > > > Event ID: 2     Event Reference: 2
> > > > 10/24/03-10:56:53.873905 194.9.167.200 -> 192.168.63.1
> > > > ICMP TTL:52 TOS:0xC4 ID:47986 IpLen:20 DgmLen:74
> > > > Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> > > > 00 00 00 00 45 84 00 2E 27 D3 00 00 74 11 B4 EC  
> ....E...'...t...
> > > > C0 A8 3F 01 C2 09 A7 C8 0C 40 12 39 00 1A 6A 61  
> ..?......@.9..ja
> > > > E3 9A 5F 74 52 6D 93 CB 93 75 0E 52 26 1A 4F C6  
> .._tRm...u.R&.O.
> > > > CC 73                                            .s
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> > > > if i use ppp0 i cant see payload
> > > > [**] [1:409:4] ICMP Echo Reply (Undefined Code!) [**]
> > > > [Classification: Misc activity] [Priority: 3]
> > > > Event ID: 48     Event Reference: 48
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> =+=+=+=+=+=+
> > > Snort can't decode PPPoE fully.
> > >
> > > Use eth1 instead.
> > >
> > > Cheers!
> > >
> > > -----
> > > Erek Adams
> > >
> > >    "When things get weird, the weird turn pro."   H.S. Thompson
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: The SF.net Donation Program.
> > > Do you like what SourceForge.net is doing for the Open
> > > Source Community?  Make a contribution, and help us add new
> > > features and functionality. Click here: 
> http://sourceforge.net/donate/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: The SF.net Donation Program.
> > Do you like what SourceForge.net is doing for the Open
> > Source Community?  Make a contribution, and help us add new
> > features and functionality. Click here: 
> http://sourceforge.net/donate/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: The SF.net Donation Program.
> Do you like what SourceForge.net is doing for the Open
> Source Community?  Make a contribution, and help us add new
> features and functionality. Click here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users