Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [Newbie] pppoe

From: Marc Thompson <Marc.Thompson () bops com>
Date: Thu, 7 Jun 2001 09:50:53 -0500
William,

I don't know how difficult it would be to add awareness of PPOE to
Snort.  Though, I do believe that each version adds more protocols...
maybe someone out there knows whether or not this is being considered.

Not being a C coder I can only speculate on how easy or hard it
would be to add support for PPOE to Snort.  I still think that the
way to go is to get a DSL modem that strips the PPP encapsulation
from the packet and sends regular Ethernet frames to your PC, but
maybe writing a PPPOE handler is a personal scratch for you to itch,
so by all means give it a whirl.

Performance... whizbang.  Snort (for me) hasn't had any trouble
sniffing high-speed networks.  The trick is to use only the rules
that you really need.  If you're not running the Chameleon server, for
example, there's really no need to use rules that check for
the Chameleon SMTP overflow attack.

Regards,
Marc Thompson

*******************************************
Marc Thompson
IT Site Manager
BOPS, Inc.
7800 Shoal Creek Blvd. Suite 200N
Austin, TX 78757
Direct: (512)407-1103
Fax:  (512)346-8407

This message is for the sole use of the intended recipient(s) and may
contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.  If you are not the intended
recipient, 
please contact the sender and destroy all copies of the original message.


-----Original Message-----
From: William Pomian [mailto:willish () free fr]
Sent: Thursday, June 07, 2001 8:14 AM
To: Marc Thompson
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] [Newbie] pppoe


On Thu, 7 Jun 2001 07:41:59 -0500 
Marc Thompson wrote:

William,

It looks like it is working, just doesn't know how to
decode the protocol:

  OTHER: 2009       (99.851%)

Are you using a DSL modem?  It may be possible to exchange
your DSL modem for one that has a bona-fide Ethernet connection
in it.


I haven't look the snort source code yet, but it may be possible
to implement pppoe desencapsulation like does ethereal ...

Do you think that is a hard task ?
What about snort performance ?

Thx Marc,

William.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: