Snort mailing list archives
Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 28 Nov 2011 08:24:53 -0500
Same here Joshua. On Nov 20, 2011, at 8:24 PM, Joshua Kinard wrote:
On 11/13/2011 16:37, Joshua Kinard wrote:Hi snort-devel, I decided to play around some more in src/decode.c, and got to thinking, with all of these additional Decode* functions that don't seem to see a lot of use, why not provide some baseline support to at least scan some of the protocols? End result is I didn't fiddle with too much in decoder.c, but wound up adding a new rule protocol, "eth", and a new rule option, "ether_type". The purpose is to open up Snort to detecting things other than IP-based traffic by leveraging the existing capabilities of the fast-pattern matcher and detection engine.Okay, I forgot to synchronize SFSnortPacket in sf_snort_packet.h with the changes I made to Packet in decode.h, which resulted in an alignment problem in any of the dynamic preprocessors. The attached patch fixes this. Any comment so far? List has been dead all week. -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic <snort-2.9.2-ether_type-support.patch>
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 13)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 20)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joel Esler (Nov 28)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Dec 26)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 20)