Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 1.8.6 and PPPoE links

From: "C.J.O." <cjo () sympatico ca>
Date: Thu, 20 Jun 2002 19:03:52 -0400
Re all,
I'm running snort 1.8.6 in daemon mode and logging in binary format, and have been experiencing some "issues".
This particular sensor is snorting via a NIC running stealth, which has been positioned directly behind a DSL modem with PPPoE connectivity. Therefore the snort sensor is "seeing" raw PPPoE. 

{switch}<-->{router doing NAT} <-snort sensor->{DSL modem} <-->{Internet}


I bring up snort with:
/usr/sbin/snort -A full -b -l /var/log/snort/ -d -e -D -i eth1 -c /etc/snort/snort.conf
If I choose normal, non-binary/tcpdump format logging, I don't run into any problems. The "issue" I'm experiencing is that each logged packet is logged as "Ethernet II" format according to Ethereal, and thus lacks layer 3 and layer 4 info. This layer 3/4 data is present in the logged entry in the "alert" file, but not in the binary packet logs. 

Here is a typical packet:

17:24:22.804107 0:78:a6:60:40:0 0:7a:0:21:45:0 7d06 142:
0x0000   9155 40e7 1031 40e7 33cb 05a3 0050 63e4        .U@..1 ()  3    Pc.
0x0010   e68d 7475 e84a 5018 4248 e642 0000 4745        ..tu.JP.BH.B..GE
0x0020   5420 2f63 2f77 696e 6e74 2f73 7973 7465        T./c/winnt/syste
0x0030   6d33 322f 636d 642e 6578 653f 2f63 2b64        m32/cmd.exe?/c+d
0x0040   6972 2048 5454 502f 312e 300d 0a48 6f73        ir.HTTP/1.0..Hos
0x0050   743a 2077 7777 0d0a 436f 6e6e 6e65 6374        t:.www..Connnect
0x0060   696f 6e3a 2063 6c6f 7365 0d0a 0d0a 3a20        ion:.close....:.
0x0070   4170 6163 6865 0d0a 5757 572d 4175 7468        Apache..WWW-Auth

In addition, my snort binary logs contain numerous "Malformed Packets".
I'm aware that libpcap has problems with PPPoE (lack of PPPoE code). Could this be the cause here as well? Does snort use libpcap for it's binary logging or libnet?
I should mention that there have seen some properly binary logged packets, complete with layer 2, 3 & 4 data, however 95% of the time it's like above. 

TIA to all.  Cheers,

Christopher J. Oliver



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: