Re: PPPoE problem with Snort on OpenBSD 4.7.

[Russ Combs <rcombs () sourcefire com>]

On Mon, Aug 9, 2010 at 4:41 PM, Schrodinger <schrodinger () konundrum org>wrote:

> On Mon, Aug 09, 2010 at 04:16:54PM -0400, Russ Combs wrote:
> [...]
>
> >      From what I can tell the problem is that in src/snort.c there is no
> >      support for 'DLT_PPP_ETHER'.
> >
> >    I believe you nailed this one.  Not sure how back the problem goes,
> but
> >    the fix will be in Snort 2.9.0.  If you are comfortable reading
> source,
> >    hopefully you can download the latest tarball and build from there.
>  The
> >    fix won't be in that tarball, but it should be in the next.
>
> Cheers Russ.
>
> I tried to patch snort.c myself but I either missed something or there
> are additional complexities that I'm not aware of but the following
> changes resulted in a core dump as soon as snort began inspecting
> packets. I thought that the issue might have been my firewall being
> under-performed for snort, which could also still be the case but it
> runs fine on the same box when sniffing traffic on the inside ethernet
> interface.

That is the basic patch I had in mind.  I've already opened a bug for it.

Can you send me a pcap to attach to the bug to facilitate the fix?

If you also send a backtrace from the debugger we might be able to offer
suggestions to get it working, assuming it is basically OK.

Thanks
Russ

> --- snort.c-dist        Sun Aug  8 23:38:37 2010
> +++ snort.c     Sun Aug  8 23:51:55 2010
> @@ -2926,6 +2926,17 @@
>             grinder = DecodeI4LCiscoIPPkt;
>             break;
>  #endif
> +#ifdef DLT_PPP_ETHER
> +       case DLT_PPP_ETHER:
> +               if (!ScReadMode())
> +               {
> +                       LogMessage("Decoding PPPoE on interface %s\n",
> +                               PRINT_INTERFACE(pcap_interface));
> +               }
> +
> +               grinder = DecodePPPoEPkt;
> +               break;
> +#endif
>
>         default:
>             /* oops, don't know how to handle this one */
>
> Conor.
>
> >      Can you help with this ? If you need any more information please
> ask.
> >      Many thanks,
> >      Conor.
> >      --
> >      +---------------------------------------------------------------+
> >      It was a new day yesterday, but it's an old day now.
> >      MSN: schro5 () hotmail com
> >      ICQ: 112562229
> >      GPG: http://www.konundrum.org/schro.asc
>  ------------------------------------------------------------------------------
> >      This SF.net email is sponsored by
> >
> >      Make an app they can't live without
> >      Enter the BlackBerry Developer Challenge
> >      http://p.sf.net/sfu/RIM-dev2dev
> >      _______________________________________________
> >      Snort-users mailing list
> >      Snort-users () lists sourceforge net
> >      Go to this URL to change user options or unsubscribe:
> >      https://lists.sourceforge.net/lists/listinfo/snort-users
> >      Snort-users list archive:
> >      http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> +---------------------------------------------------------------+
> It was a new day yesterday, but it's an old day now.
> MSN: schro5 () hotmail com
> ICQ: 112562229
> GPG: http://www.konundrum.org/schro.asc
------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users