Snort mailing list archives
Detecting ARP and "OTHER" protocols
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Fri, 13 Sep 2002 15:46:27 -0400
Hello, I'm running Snort 1.8.7 on RHLinux7.0 I was looking at my Snort stats and notice that is says it detected ARP packets and "OTHER" packets besides IP/TCP/UDP. Since Snort seems to know about ARP packets, as a test, I created a test rule to alert whenever an ARP packet is detected so I can get an idea what is going on on my network. I started by creating a rule like this: alert arp any any -> any any (msg:"ARP packets detected";) Though I got a segmentation fault (core dump). Is there another way I can do this or is Snort not capable of alerting on ARP packets? I was also looking to determine what "OTHER" protocols Snort claims it is seeing out there. What would be the best way to do this? It would seem logical to use an alert such as: alert !ip any any -> any any (msg:"Non-IP packets detected";) but this didn't work either. I was hoping someone had some tips on the above.....thanks! ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting ARP and "OTHER" protocols Sheahan, Paul (PCLN-NW) (Sep 13)