Snort mailing list archives
Re: mpls
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 15 Jun 2007 10:12:29 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please be aware that Snort 3 doesn't have a detection engine yet, so
apart from decoding and printing the packets in four fun-filled
modes, it doesn't do a whole lot yet.
I'm working on a new release that'll let you actually start analyzing
packets, stay tuned!
-Marty
On Jun 15, 2007, at 7:30 AM, Paul Melson wrote:
I need to sniff a link that uses mpls headers. Does any one have some advice for doing this successfully?From http://www.snort.org/users/roesch/Site/Snort%203.0.html"...most specifically the new protocol decoders that have been added for Snort 3.0 including IPv6, MPLS, GRE and 802.1q as well as the new TCP and IP option decoders." I'd say Snort 3.0 is your best bet. Otherwise you're in uncharted waters, I think. If you had to use 2.6.x right now, you might be able to use something like mpls-linux and bridging and then have Snort attach to the Ethernet bridge interface. I have no idea if that would actually work, though. PaulM ---------------------------------------------------------------------- --- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFGcp5Nqj0FAQQ3KOARAq48AJ4klStiwjFFgpqSblw/58Qk/IvpSgCfV6Qt Vg/3eGzPPyQhTyCLAscHvy8= =jj44 -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Sensor overload - Too much traffic for Snort box?, (continued)
- Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 08)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 09)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 11)
- Re: Sensor overload - Too much traffic for Snort box? Ray H. (Jun 13)
- Re: Sensor overload - Too much traffic for Snort box? Nigel Houghton (Jun 14)
- Re: Sensor overload - Too much traffic for Snort box? Matthew Watchinski (Jun 14)
- mpls ty (Jun 14)
- Re: mpls Paul Melson (Jun 15)
- Re: mpls Martin Roesch (Jun 15)
- Re: mpls Matthew Watchinski (Jun 15)
- Re: Sensor overload - Too much traffic for Snort box? Fábio a.k.a Fósforo (Jun 08)
- Re: Snort memory swap usage Marc Norton (Jun 13)