Snort mailing list archives
Snort 1.8.6 and PPPoE links
From: "C.J.O." <cjo () sympatico ca>
Date: Thu, 20 Jun 2002 19:03:52 -0400
Re all,I'm running snort 1.8.6 in daemon mode and logging in binary format, and have been experiencing some "issues".
This particular sensor is snorting via a NIC running stealth, which has been positioned directly behind a DSL modem with PPPoE connectivity. Therefore the snort sensor is "seeing" raw PPPoE.
{switch}<-->{router doing NAT} <-snort sensor->{DSL modem} <-->{Internet} I bring up snort with:/usr/sbin/snort -A full -b -l /var/log/snort/ -d -e -D -i eth1 -c /etc/snort/snort.conf
If I choose normal, non-binary/tcpdump format logging, I don't run into any problems. The "issue" I'm experiencing is that each logged packet is logged as "Ethernet II" format according to Ethereal, and thus lacks layer 3 and layer 4 info. This layer 3/4 data is present in the logged entry in the "alert" file, but not in the binary packet logs.
Here is a typical packet: 17:24:22.804107 0:78:a6:60:40:0 0:7a:0:21:45:0 7d06 142: 0x0000 9155 40e7 1031 40e7 33cb 05a3 0050 63e4 .U@..1 () 3 Pc. 0x0010 e68d 7475 e84a 5018 4248 e642 0000 4745 ..tu.JP.BH.B..GE 0x0020 5420 2f63 2f77 696e 6e74 2f73 7973 7465 T./c/winnt/syste 0x0030 6d33 322f 636d 642e 6578 653f 2f63 2b64 m32/cmd.exe?/c+d 0x0040 6972 2048 5454 502f 312e 300d 0a48 6f73 ir.HTTP/1.0..Hos 0x0050 743a 2077 7777 0d0a 436f 6e6e 6e65 6374 t:.www..Connnect 0x0060 696f 6e3a 2063 6c6f 7365 0d0a 0d0a 3a20 ion:.close....:. 0x0070 4170 6163 6865 0d0a 5757 572d 4175 7468 Apache..WWW-Auth In addition, my snort binary logs contain numerous "Malformed Packets".I'm aware that libpcap has problems with PPPoE (lack of PPPoE code). Could this be the cause here as well? Does snort use libpcap for it's binary logging or libnet?
I should mention that there have seen some properly binary logged packets, complete with layer 2, 3 & 4 data, however 95% of the time it's like above.
TIA to all. Cheers, Christopher J. Oliver ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.8.6 and PPPoE links C.J.O. (Jun 20)