Re: snort and ATM

[Dragos Ruiu <dr () kyx net>]

On March 2, 2005 02:18 am, Teva AVRIL wrote:
> So my question is simple : how could i manage to run snort to capture
> trafic on a atm interface if snort doesn't handle atm? Is it because
> decapsulation on RedHat9 is made so that snort is able to understand ip
> packets or something like this? Or maybe the latest libpcap  could handle
> atm now?

Probably something did the reassembly for you.
If you need to do it, and you are using AAL5, it's very straightforward
if your interface gives you raw cells...
(And I assume it _is_ AAL5 as AAL3/4 pretty much went the way of
the dinosaurs...)

AAL5 segmentation is simple... tack a header and trailer (checksum)
on the IP packet, slice it up into 48 byte ATM payloads, add 5 byte
ATM header onto each and get 53 byte ATM cells.

A bit in the header will indicate the last cell of a packet.

Lather Rinse Repeat.

Its pretty easy to reassemble those back into IP packets.
The code is left as an excercise for the reader :-).

Though likely the reassembly is done in hardware and 
you are getting AAL5 packets and you may just have to strip
additional header and trailer off the IP packets to process 
them in snort.

cheers,
--dr
 
-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users